IKEv2 Slow Transfers to Optional and Trusted Networks
I just set up an M270 with IKEv2 VPN which goes to interface 1 and 2 which are Trusted and Optional interfaces.
If I do I speedtest over the internet through the VPN I get 30Mbit which agrees with my upstream bandwidth out of the M270. But if I try to SCP files to servers on the Optional network I only get around 3Mbit.
Can anyone help me understand what is going on and how to fix it? I had an Edgerouter and it was much faster, which was unexpected.
0
Sign In to comment.
Comments
There are many posts on the Internet related to slow transfers using SCP.
Some recommend using a different transfer method.
Perhaps this suggestion will help when using SCP:
WinSCP slow speed SCP/SFTP - How I fixed it
https://winscp.net/forum/viewtopic.php?t=25705
Thanks Bruce, but that doesn't explain why my transfers are slow through Watchguard but fast through a cheap EdgeRouter VPN. I tried the solution offered on that page and it made no difference, which is to be expected because through the EdgeRouter things are much faster.
Is the setup identical for both firewalls - same policies affecting this traffic, and for the dest SCP device ?
Yes but by default there is no segmentation between networks on an EdgeRouter. For the Firebox I need a policy which allows traffic between the networks.
Do you get good/expected trusted to optional transfer rates?
If not, have you checked for speed/duplex mismatch on the optional interface or on the devices connected to the optional interface?
WSM -> Firebox System Manager -> Status Report -> Interfaces section will show if there are collisions or errors on firewall interfaces.
If there are a fair number of them, then that usually indicates a speed/duplex mismatch between the firewall interface settings & those for the device to which it is connected.
What policy type are you using to allow access from the VPN client to the optional interface device? If proxy policy, then that could be a possible explanation, especially if it is a FTP proxy which is trying to allow this traffic.
Consider adding a custom packet filter for TCP port 22 From: IKEv2-Users To: Any-optional. Move this policy to the top of your policies list and test again.
Otherwise, consider opening a support case to see if a WG rep can provide the reason for this.
Yes, rates are very good trusted to optional, just not IKE to optional or IKE to trusted (both of those are equally slow).
Status report shows no collisions or errors except on one interface, which has a relative few:
sw11 Link encap:Ethernet HWaddr 34:12:78:56:01:03
UP BROADCAST RUNNING NOARP MULTICAST MTU:1506 Metric:1
RX packets:8997731 errors:230
I'm not sure what sw11 is but 230 out of 8997731 doesn't seem like many. All the other interfaces report 0 errors 0 collisions.
I will try a more dedicated policy like you indicated and report back.
To verify that the new policy is being used, turn on Logging on it and you can see what is allowed by it in Traffic Monitor.
It did not help. Same slow rates. The traffic monitor shows it is hitting that policy but it only prints out a few times, not during the whole transfer. I assume the messages are rate-limited.
You can do a packet capture on the firewall which may show something to help understand this.
You can set advanced options to specify the IP addr to capture, etc.
Examples:
https://danielmiessler.com/study/tcpdump/
FSM:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
Web UI:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html
i also need a policy which allows traffic between the networks.
Hi @nityavid
You can create a policy to move that traffic.
See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/add_policy_c.html
-James Carson
WatchGuard Customer Support
Thanks for your quick reply.. .