IKEv2 Slow Transfers to Optional and Trusted Networks

I just set up an M270 with IKEv2 VPN which goes to interface 1 and 2 which are Trusted and Optional interfaces.

If I do I speedtest over the internet through the VPN I get 30Mbit which agrees with my upstream bandwidth out of the M270. But if I try to SCP files to servers on the Optional network I only get around 3Mbit.

Can anyone help me understand what is going on and how to fix it? I had an Edgerouter and it was much faster, which was unexpected.


  • Options

    There are many posts on the Internet related to slow transfers using SCP.
    Some recommend using a different transfer method.

    Perhaps this suggestion will help when using SCP:
    WinSCP slow speed SCP/SFTP - How I fixed it

  • Options
    edited May 2022

    Thanks Bruce, but that doesn't explain why my transfers are slow through Watchguard but fast through a cheap EdgeRouter VPN. I tried the solution offered on that page and it made no difference, which is to be expected because through the EdgeRouter things are much faster.

  • Options

    Is the setup identical for both firewalls - same policies affecting this traffic, and for the dest SCP device ?

  • Options

    Yes but by default there is no segmentation between networks on an EdgeRouter. For the Firebox I need a policy which allows traffic between the networks.

  • Options

    Do you get good/expected trusted to optional transfer rates?

    If not, have you checked for speed/duplex mismatch on the optional interface or on the devices connected to the optional interface?

    WSM -> Firebox System Manager -> Status Report -> Interfaces section will show if there are collisions or errors on firewall interfaces.
    If there are a fair number of them, then that usually indicates a speed/duplex mismatch between the firewall interface settings & those for the device to which it is connected.

    What policy type are you using to allow access from the VPN client to the optional interface device? If proxy policy, then that could be a possible explanation, especially if it is a FTP proxy which is trying to allow this traffic.
    Consider adding a custom packet filter for TCP port 22 From: IKEv2-Users To: Any-optional. Move this policy to the top of your policies list and test again.

    Otherwise, consider opening a support case to see if a WG rep can provide the reason for this.

  • Options

    Yes, rates are very good trusted to optional, just not IKE to optional or IKE to trusted (both of those are equally slow).

    Status report shows no collisions or errors except on one interface, which has a relative few:

    sw11 Link encap:Ethernet HWaddr 34:12:78:56:01:03
    RX packets:8997731 errors:230

    I'm not sure what sw11 is but 230 out of 8997731 doesn't seem like many. All the other interfaces report 0 errors 0 collisions.

    I will try a more dedicated policy like you indicated and report back.

  • Options
    edited May 2022

    To verify that the new policy is being used, turn on Logging on it and you can see what is allowed by it in Traffic Monitor.

  • Options

    It did not help. Same slow rates. The traffic monitor shows it is hitting that policy but it only prints out a few times, not during the whole transfer. I assume the messages are rate-limited.

  • Options

    You can do a packet capture on the firewall which may show something to help understand this.

    You can set advanced options to specify the IP addr to capture, etc.

    Web UI:

  • Options

    i also need a policy which allows traffic between the networks.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    -James Carson
    WatchGuard Customer Support

  • Options

    Thanks for your quick reply.. .

Sign In to comment.