BOVPN to Azure slow transfer speeds

I have an m370 running 12.8.1 that has a site to site connection with Azure. The connection works but it seems slow when transferring files between Azure > On-Premises as well as On-Premises -> Azure.

This basic Azure gateway documentation shows that it gets speeds up to 100 mpbs but iPerf is showing speeds between an Azure VM and on on premises box (over this site to site VPN) getting around 27.5 mbps. Our ISP is 1000 mpbs.

I am assuming the limitation has something to do with configuration on my firebox.
Can anybody suggest some settings to potentially speed this up.

Comments

  • With VPNs to/from Azure, you need to make sure the MTU for the VPN is set to 1400 or less, otherwise you get a heap of retransmit errors.
    (This number is in the Azure documentation).
    You may see references to alternately setting the TCP MSS value to 1350, but this only affects TCP traffic so the MTU setting is preferred.

    Assuming you have a BOVPN interface configured for it, set the "Restrict tunnel MTU" value against that BOVPN interface.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JoshuaThompson
    It depends a lot on what you're trying to transfer (files) and how.

    If you're using standard windows file sharing, it's going to be slower than you expect across a VPN due to the protocol that's being used (SMB). It effectively waits for the previous bit of traffic to be acknowledged before it sends more. This is fine on a local LAN, but across a VPN touching the internet, every little bit of latency will slow it down because of that. Add in any transmit errors or drops and it'll get slower.

    If you can use a different protocol (FTP, SFTP, basically anything else) you'll likely get better performance.

    Like @PhilT_VIT mentions, Azure does lower MTU in order to encapsulate some routing information internally, so that's also an issue. Most protocols (SMB included) will auto adjust as it gets packets back that are too large, however.

    If you still need help, I'd suggest a support case so that our team can take a look at everything and see what might be able to be adjusted to help speed up transfers.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.