Kinda stuck here. Between my colo and remote site, the PMTU’s are showing the values I have set in the wan connection, yet the vpn transfer rate between the two on a windows file copy of an iso is still 1/3 of the wireline speed I should be getting. Support checked everything out and their only comment was the MTU’s (both sides are set at 1500 and that is what the pmtu diag tool recommends as well).
Is there something I could be missing. It’s not CPU on the devices, they’re way low and I’m doing the tests after hours when everyone is gone.
I’ve got another org I manage where it’s exactly the same and they achieve wireline speeds on the same copy test I am doing here. PS - That org has a distance of 1500 miles from the colo to the remote site. my current dilemma has a distance of about 100 miles. UGH!!!
The best we’ve ever gotten from our NSA2650 after a LOT of testing using windows file copy is about 15 MB/s, and that’s over fiber a few miles apart. It’s just inefficiency in the overall architecture.
You can use something like Ping Plotter, maybe, to analyze the traffic hops to see if there is any latency between the two firewalls outside and inside of the VPN (had bizarre issue once where it was caused by someone had illegally tapped into a cable line on a telephone pole to get themselves free internet). I’d also check to make sure the VPN traffic is excluded from your security services, bandwidth management settings, check the switches or other devices in between computer and firewall (test directly from laptop attached to firewall on both ends).
Got it! I used speedtest.net and got perfect results. google speedtest was horrible. verified with the nic card as well. i guess for some reason google speedtest does not give the full capabilities of the pipe.
I still need to troubleshoot the smb file stuff on that slowness, but i’ll get to that shortly.
Please test accordingly so you don’t go nuts like me.
If you really believe it to be the MTU… There is a MTU tool (can’t check the name of it right this moment, as my laptop is off), but you can use it to verify the MTU of a specific IP address.
What I always do (& recommend) is (and this is assuming that you are configured for a static IP address on your SW) to FIRST check/test what the MTU is of your gateway (i.e., modem, typically). If you’re on a public/static IP address, then you’d check the MTU of the static gateway address. This MTU would be the max MTU that you’d want to config the SW for. Also, if you’re not quite sure how MTU works, I’d recommend reading up on it (or maybe there’s a YouTube video that might help to explain it all).
For example, if you’re modem (i.e., gateway) is already configured to have an MTU of 1476, or even [more commonly] 1404, but you configure your SW to be 1500, then this isn’t going to help anything, since your modem/gateway is only going to allow maximum packet sizes of 1476 (or 1404, etc… Whatever the modem is configured for). You’d want/need either to reconfigure the modem/gateway to be a higher MTU (Max being 1500), and then make sure your SW matches, OR reconfigure your SW to match the MTU of your gateway/modem.
If you can’t find a MTU checking tool, and need me to send over the name of the tool that I use, LMK. The tool I use, I use it via command line (I find that easier).
Hope this helps, bud. Good luck 
I can get speeds as high as 30MB/s, somewhere around 300mbit up and down, over our nsa 2650. Had to make some modifications to the DPI to let it happen though.
250mbit is more common but I’ve seen it hit 300 before.
I’d agree with you EXCEPT I manage another client with the exact same environment getting 120mb/s from a colo in orlando fl to long island ny. same nsa at the colo and the better performing client only has a tz400 as opposed to an nsa2600. also the crappier client is only going over a distance of about 150 miles as opposed to 1300
Update 1: An hour with NSA support and they are stumped on the slow smb as well. They turned off all a/v everywhere, setup a new access rule, no change at all. She took a backup and a tsr for offline analysis. I’ll advise if anything comes about
I follow you, however you can only check PMTU on the SW with WAN interfaces. In my life of 15 years with SW, I’ve never dived into an mtu setting on the gateway, I honestly didn’t even think this was possible. Also, in my post I mentioned speedtest.net is perfectly fine, its only the smb traffic that is slow as hell
nope, it was actually a corrupted excel workbook. i happened to just randomly test with another workbook the same size and it opened up right away, so we just copied and pasted the data to a new excel file and all was good.
Teach us their mysterious ways. Maybe encryption is off 
Check what encryption the faster VPN is using. It’s likely they are using a less CPU intensive algo.
The MTU on the SW, as well as the modem/gateway is going to affect traffic that’s both going out to the WAN, as well as VPN traffic.
Just do an MTU test against the static gateway IP that you should have configured on your WAN interface. I got my PC booted back up, and the tool I use is called (and their website is) MTURoute.exe.
What I personally did was took the .exe, and renamed it to be “MTU.exe”. I then placed it into a directory I made at the following path: "C:\bin". Then I made sure to add "C:\bin" to my environment variables, that way, regardless of what path I’m in in Command Prompt, I can run the following command:
mtu 1.2.3.4
Anyways, if you just use that tool, run it against your static gateway IP (which will need to be pingable, at the very least). It’ll do a check to find out what the configured MTU is in your modem. I’d recommend making sure you’re SW matches. If the modem is set low, then I’d probably go into it, raise the MTU to 1500, then set the SW to 1500, then try again.
Lastly, I don’t know if you’re using any of the Security Services on the SW, and/or DPI, but if you are, try disabling those. Those can cause speed issues as well.
it’s just one of those weird cases.
Just so were all clear. aCLTeng did you mean 15Mb/s or 15MB/s and Vivid did you mean 120Mb/s or 120MB/s?
Because 120Mb/s is 15MB/s
same on both orgs. its gotta be a weird software thing somewhere as the tz400 is performing perfect and the nsa2600 is performing crappy. the 400 is much less powerful than the 2600
I tried doing the pmtu against the gateway on x1 and its not reachable. i guess i will have to try with my laptop onsite. If you read my previous posts, speedtests are perfect, but the windows smb is the issue. If mtu was an issue, i would see it in the speedtests. support worked with me for an hour trying all kinds of stuff, including disabling all av in diag mode, no changes at all. they took tsr’s and config backups to investigate offline
I meant 150 Mbps = 15 MB/s
Only difference in “power” is the NSA has 2GB of ram
The TZ400 actually has a newer processor however I don’t know the full specs or instruction set
NSA 800mhz x 4 MIPS 2 64oct processor
TZ400 800mhz x 4 MIPS 3 64oct processor
It’s likely the TZ400 might have better encryption and decryption instructions
