Forum Discussion

Stefan_Klotz_85's avatar
Aug 31, 2016

APM network access performance issue (Wireshark help)

We've setup a network access to establish VPN connections for one of our clients. Connecting to the tunnel is fine, but we are facing performance issues. In general we are talking about a degradation in throughput of around 50%. For example with a DSL 16000, which connects with around 13000Mbit we reach around 11000Mbit with any kind of speedtest. Performing this test through the VPN tunnel gives us only around 6000Mbit. What we see in a tcpdump taken directly on the client, that without VPN a large download will be transferred with constant pakets of around 1500, but with VPN a "large" paket will be followed by one or more very small pakets, which then in combination with the RTT of the WAN results in the performance issue.

 

 

As I'm not that perfect TCP and Wireshark expert, I'd like to ask you if someone can point me in the right direction, what might be the reason for the seen behavior.

 

FYI, this is running on a BIG-IP 4000s with 11.5.4 HF1. We also raise a ticket with F5 and had a consultant checking our setup. He confirmed, that it generally looks fine and that it might be better with different options like adjusted TCP-profiles. We already tried this, but the behavior is still the same. We also already using DTLS, which helps a little bit, but it's still not acceptable. If you need any further information, please let me know.

 

But currently I'm "only" looking for some help in interpreting the Wireshark output.

 

Thank you!

 

Ciao Stefan :)

 

3 Replies

  • Looks like your acknowledging a lot more often than you need to. I'd tune your tcp profile.

     

  • Hi ekaleido,

     

    thanks for the answer, but can you please be more precise? What settings do you mean in the TCP-profile? And how does the TCP-profile came into effect when using DTLS (the above provide tcpdump was without DTLS)? Currently we have tcp-mobile-optimized without Nagle and some larger window and proxy sizes in use for the clientside and tcp-lan-optimized with some larger window and proxy sizes for the serverside.

     

    Ciao Stefan :)