Results 1 to 6 of 6

Thread: Slow HTTP traffic over VPN connection

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    27

    Question Slow HTTP traffic over VPN connection

    Ok i've been racking my brain for the last 3 days over this and I can't seem to come up with any logical reason why this is happening. So i'm going to ask the question here to see if someone can point me in a different direction.

    Here's my story:
    I have 2 sites that are connected via a cisco 3005 vpn concentrator. All traffic going down the tunnel is fine except for HTTP traffic. When I try to access our source code control system via a browser it is taking up to 2 mins for it to display my results. This just started to happen on Tuesday and was consistant all day. I rebooted the concentrators Tuesday night and re-established the tunnels but it didn't seem to help.

    I've rebooted both border routers and both firewalls. I've got IP accounting running on both routers and i'm not seeing any strange annomolies on either of them. I've ran reports on the T1 utilization for both sites and we are no way near saturating the pipes. My syslogs are not showing anything and my network probe isn't showing any strange packets flying around. I've scanned both networks for any trojans broadcasting or listening and haven't found a thing. I've rebooted the source code control server, looked at default gateways and route tables. Everything checks out fine.

    I've gone over the vpn config time and time again and nothing has changed. Actually there is only 2 of us that have rights to change anything on it and neither of us have. There is NO QOS on any of the routers, switches or firewalls.

    I've talked to AT&T and had them run some tests on the wire and there is no packet loss but some latency (which is to be expected). I've got my ping plotter and 3dtrace running and my ping times never exceed 200ms.

    All other http traffic to the internet is fine, but any http traffic going thru the tunnel is slow. Again all other traffic going thru the tunnel is fine, i.e. rdp, mail, netbios etc..

    Hate to dump all of this on you but i'm at a loss here, anyone have anyother ideas on this.


    Thanks in advance.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Have you tried setting your MTU a little lower? I have sometimes seen an issue with heavy fragmentation over VPN because of this.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Junior Member
    Join Date
    Jan 2004
    Posts
    27
    Nope haven't tried that yet. It's currently at the default 1500. What would be a good size to set it to?
    If at first you don\'t succeed, f**k it try something else.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If memory serves with ours it was 1420, but I can't promise that was what it was. Sorry for lack of elaboration, don't really have time to explain (at work), but we did see similar problems and this helped. Look around cisco's web site, it should be there, I am pretty sure this is where we found the info about the MTU.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Junior Member
    Join Date
    Jan 2004
    Posts
    27
    Would you set it on both interfaces or just the outside. Also if you change it on the concentrator does it also need to be set on the border router..

    Thanks.
    If at first you don\'t succeed, f**k it try something else.

  6. #6
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    What's the bandwith?.....Let me rephrase, are you running a full or frac. T1 connection for data.

    I'm running a full T1 on one end and a DSL on the other (bandwidth fluctuates between 768k and 1.2Mbps) and my MTU is set to 1420 (pretty common setting, works with all but the smallest pipes) on both ends and it works fine.

    The MTU needs to be set at both ends, and the figure should be the largest MTU that the smallest pipe can handle (in my case, the DSL...Full T1 can handle 1500 MTU just fine, in theory )

    And it is not absolutely necessary to change it at the router, as long the router's default MTU is larger than the concentrator's default MTU. However, depending on the brand or model of router, it could cause some problems. I would change it just to avoid any complications, if at all possible.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •