IKEv2 Slow Transfers to Optional and Trusted Networks

I just set up an M270 with IKEv2 VPN which goes to interface 1 and 2 which are Trusted and Optional interfaces.

If I do I speedtest over the internet through the VPN I get 30Mbit which agrees with my upstream bandwidth out of the M270. But if I try to SCP files to servers on the Optional network I only get around 3Mbit.

Can anyone help me understand what is going on and how to fix it? I had an Edgerouter and it was much faster, which was unexpected.

Comments

  • There are many posts on the Internet related to slow transfers using SCP.
    Some recommend using a different transfer method.

    Perhaps this suggestion will help when using SCP:
    WinSCP slow speed SCP/SFTP - How I fixed it
    https://winscp.net/forum/viewtopic.php?t=25705

  • edited May 2022

    Thanks Bruce, but that doesn't explain why my transfers are slow through Watchguard but fast through a cheap EdgeRouter VPN. I tried the solution offered on that page and it made no difference, which is to be expected because through the EdgeRouter things are much faster.

  • Is the setup identical for both firewalls - same policies affecting this traffic, and for the dest SCP device ?

  • Yes but by default there is no segmentation between networks on an EdgeRouter. For the Firebox I need a policy which allows traffic between the networks.

  • Do you get good/expected trusted to optional transfer rates?

    If not, have you checked for speed/duplex mismatch on the optional interface or on the devices connected to the optional interface?

    WSM -> Firebox System Manager -> Status Report -> Interfaces section will show if there are collisions or errors on firewall interfaces.
    If there are a fair number of them, then that usually indicates a speed/duplex mismatch between the firewall interface settings & those for the device to which it is connected.

    What policy type are you using to allow access from the VPN client to the optional interface device? If proxy policy, then that could be a possible explanation, especially if it is a FTP proxy which is trying to allow this traffic.
    Consider adding a custom packet filter for TCP port 22 From: IKEv2-Users To: Any-optional. Move this policy to the top of your policies list and test again.

    Otherwise, consider opening a support case to see if a WG rep can provide the reason for this.

  • Yes, rates are very good trusted to optional, just not IKE to optional or IKE to trusted (both of those are equally slow).

    Status report shows no collisions or errors except on one interface, which has a relative few:

    sw11 Link encap:Ethernet HWaddr 34:12:78:56:01:03
    UP BROADCAST RUNNING NOARP MULTICAST MTU:1506 Metric:1
    RX packets:8997731 errors:230

    I'm not sure what sw11 is but 230 out of 8997731 doesn't seem like many. All the other interfaces report 0 errors 0 collisions.

    I will try a more dedicated policy like you indicated and report back.

  • edited May 2022

    To verify that the new policy is being used, turn on Logging on it and you can see what is allowed by it in Traffic Monitor.

  • It did not help. Same slow rates. The traffic monitor shows it is hitting that policy but it only prints out a few times, not during the whole transfer. I assume the messages are rate-limited.

  • i also need a policy which allows traffic between the networks.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    -James Carson
    WatchGuard Customer Support

  • Thanks for your quick reply.. .

Sign In to comment.