Best Practice - VPN Performance Testing

Similar documents
How to Create a TINA VPN Tunnel between F- Series Firewalls

How to Configure a Dynamic Mesh VPN with the GTI Editor

Implementation Guide - VPN Network with Static Routing

How to Configure a Dynamic Mesh VPN with the GTI Editor

How to Create a VPN Tunnel with the VPN GTI Editor

NGF0401 Instructor Slides

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Authentication, Encryption, Transport, IP Version and VPN Routing

How to Configure Dynamic Mesh VPN

Double-clicking an entry opens a new window with detailed information about the selected VPN tunnel.

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

SonicOS 5.6 Feature Overview

How to Configure a Client-to-Site L2TP/IPsec VPN

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

This document contains important information about the current release. We strongly recommend that you read the entire document.

Authentication, Encryption, Transport, and VPN Routing

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

MikroTik Router Certified Network Associate (MTCNA) + Unifi Wifi Access Point (only got at CISMIC)

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

Cisco Exam Questions & Answers

Hillstone IPSec VPN Solution

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

General Firewall Configuration

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure a Remote Management Tunnel for an F-Series Firewall

FAQ about Communication

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

AT&T Cloud Web Security Service

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

Cassia MQTT User Guide

Cisco Passguide Exam Questions & Answers

Sirindhorn International Institute of Technology Thammasat University

Scalability Considerations

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Securing Wireless LAN Controllers (WLCs)

PureVPN's OpenVPN Setup Guide for pfsense (2.3.2)

SD-WAN Deployment Guide (CVD)

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Introducing Cisco 836 and SOHO 96 Secure Broadband Routers

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

SQL Saturday David Klee

A Flexible Model for Resource Management in Virtual Private Networks. Presenter: Huang, Rigao Kang, Yuefang

Configuration Guide Barracuda NG Firewall. TheGreenBow IPsec VPN Client. Written by: TheGreenBow TechSupport Team Company:

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Network Security. Thierry Sans

ASA Access Control. Section 3

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

How to Configure SSH Tunnel in Remote Desktop Manager

EdgeXOS Platform QuickStart Guide

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

AT&T SD-WAN Network Based service quick start guide

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Wireless Terminal Emulation Advanced Terminal Session Management (ATSM) Device Management Stay-Linked

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Implementing DVN. directpacket Product Guide

The SC receives a public IP address from the DHCP client of the ISP. All traffic is automatically sent out through the WAN interface.

Configuring Cisco IOS IP SLAs Operations

Exam Name: Implementing Cisco Edge Network Security Solutions

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Configure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Service Settings on a Switch

WINNER 2007 WINNER 2008 WINNER 2009 WINNER 2010

ISE Primer.

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

AC3000 Tri-Band Wireless Gigabit Dual-WAN VPN SMB Router TEW-829DRU (v1.0r)

Vendor: Riverstone. Exam Code: Exam Name: Riverbed Certified Solutions Associate. Version: Demo

GOPALAN COLLEGE OF ENGINEERING AND MANAGEMENT Department of Computer Science and Engineering COURSE PLAN

SD-WAN Recommended Test Plan

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Configuring OpenVPN on pfsense

Digi TransPort Routers. User Guide

Configuring IP Tunnels

CISCO EXAM QUESTIONS & ANSWERS

Viola M2M Gateway. OpenVPN Application Note. Document version 1.0 Modified September 24, 2008 Firmware version 2.4

Exam Actual. Higher Quality. Better Service! QUESTION & ANSWER

Configuration of an IPSec VPN Server on RV130 and RV130W

Network Administrator s Guide

ESR b/g/n SOHO Router PRODUCT DESCRIPTION. 11N AP/Router 2.4GHz 300 Mbps Gigabit

Integration Guide. Oracle Bare Metal BOVPN

Contents. Introduction. Prerequisites. Background Information

File Protection using rsync. User guide

Configuring OfficeExtend Access Points

How to Set Up VPN Certificates

Deployment Scenarios

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Firewalls, Tunnels, and Network Intrusion Detection

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Inovatian Mesh Technology. InoMesh Specifications & System Performance Sheet

Pre-Deployment Information

Virtual Tunnel Interface

New Features and Functionality

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

GWN7000 Firmware Release Note IMPORTANT UPGRADING NOTE

Transcription:

Follow these instructions to create a standardized VPN performance testing environment. Using standardized settings is required for support to be able to compare performance tests with our in-house testing environments. This enables us to troubleshoot efficiently. VPN performance test setup Collecting performance data Collecting system information Before You Begin To collect all relevant information for Barracuda Technical support download the Word template form and fill in the required values as you go through the steps. Paste the output from each step in to the text form and save the result. Include the filled-in form when contacting Barracuda Support. Download VPN Performance Testing Form (Microsoft Word). VPN Performance Test Setup Before You Begin To rule out devices in the local and remote networks, as well as side effects of other services on the firewall, create the following setup: Testing must be performed on dedicated clients on both ends. Do not run performance tests directly on the shell of the firewall unless specifically stated otherwise. Connect the test clients directly to the firewall. If that is not possible, up to one switch between the firewall and the test client is acceptable. Do not use wireless network connections to connect to the firewall. Step VPN Tunnel Configuration Configure the VPN tunnel on both firewalls with the following settings: Create a TINA site-to-site VPN tunnel with a single transport with the following encryption settings: In the Basics tab, configure the following settings: Transport Select UDP. Encryption Select AES 128. Authentication Select NOHASH 1 / 10

Compression Select Disabled. Use Dynamic Mesh Clear check box. In the TI Bandwidth Protection tab, configure the following settings: Dynamic Bandwidth Detection Select Disabled. Bandwidth Policy Select None. Consolidated Shaping Clear the check box. 4. In the Advanced tab, configure the following settings: High Performance Settings Select the check box. WANOpt Policy Select NO-WANOpt. 5. 6. Configure the Local and Remote Networks. Configure the Local and Remote IP addresses used by the VPN endpoint. For more information, see How to Create a TINA VPN Tunnel between F-Series Firewalls. Step Optimize Performance Settings for VPN Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > System Settings. From the Interface CPU Assignment drop-down list, select Optimize-for-VPN. Step Access Rule Configuration On both firewalls, configure access rules to allow the test traffic through the VPN tunnel. Create a Pass access rule: Source Select the IP address of the local test client. Service Select Any. Destination Select the IP address of the remote test client. Bi-Directional Select the check box. IPS Policy Select No Scan. Application Policy Select No AppControl. QoS Band (Fwd) Select No-Shaping. 2 / 10

QoS Band (Reply) Select No-Shaping. (Testing with SMB traffic only) In the Miscellaneous section of the Advanced access rule settings, set Force MSS (Maximum Segment Size) to 1300. (Testing with SMB traffic only) In the Miscellaneous section of the Advanced access rule settings, set Clear DF Bit to yes. 3 / 10

Step 4. Verify the Network Interface Is Using Full Duplex On the CONTROL > Network page of both firewalls: Verify that the network interfaces used by the test client and the VPN tunnel are using full duplex: Step 5. (Multi-Core Firewalls Only) Verify VPN Bypass Is Enabled VPN bypass is a performance optimization for the VPN device queues on multi-core firewalls. The VPN bypass must be enabled. Log into the firewall via SSH. Enter the following command to check the VPN bypass state: acpfctrl tune vpnbypass If it is disabled, enable it with the following command: acpfctrl tune vpnbypass on Step 6. Verify that the VPN Rate Limit Is Disabled If a VPN rate limit is set, the VPN throughput is automatically decreased to the configured value. Log into the firewall via SSH. Enter the following command to check the VPN rate limit: ktinactrl boxrate get If needed, the VPN rate limit can be configured in the Operational VPN settings on the General Firewall 4 / 10

Configuration page. Performance Testing Perform the following tests to gather performance data for the VPN tunnel and the ISP connection. ISP link speed VPN tunnel throughput Latency to the other firewall (virtual only) Cryptographic hardware performance test Check ISP Link Speed Execute the speed test on both firewalls. Log into the firewall via SSH. Enter the following commands to download and start the speed test: cd /tmp/ wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py --nocheck-certificate chmod +x speedtest-cli./speedtest-cli Collect the following the output from both firewalls: Speedtest output Ping Firewall to Firewall Log into the firewall via SSH. Enter ping <public IP address of the remote firewall> Ping firewall to firewall 5 / 10

Ping Test Client to Test Client Log into the test client. Enter ping <IP address remote test client> Ping test client to test client Test VPN Tunnel TCP Traffic Throughput Log into the remote test client Install iperf. start an iperf server: iperf -s 4. Log into the local test client. 5. Install iperf. 6. Test the VPN throughput for TCP traffic: iperf -c <ip> -P -e -m 7. 8. Repeat in the other direction. VPN TCP iperf (fw1 to fw2) VPN TCP iperf (fw2 to fw1) Test VPN Tunnel UDP Traffic Throughput Log into the remote test client 6 / 10

Install iperf. Start an iperf server: iperf -s -u 4. Log into the local test client. 5. Install iperf. 6. Test the VPN throughput for UDP traffic. iperf -c <ip> -P -e -m -u 7. 8. Repeat in the other direction. VPN UDP iperf (fw1 to fw2) VPN UDP iperf (fw2 to fw1) (Virtual and Public Cloud Only) Test Hardware Capabilities Execute the following test to measure the hardware capabilities on virtual and public cloud firewalls. Log into the firewall via SSH. Enter cryptoctrl perf all 7 / 10

Cryptoctrl output Testing with SMB / CIFS Traffic When testing performance with SMB/CIFS traffic an be difficult to receive reproducible results. When testing the same VPN tunnel with iperf and CIFS traffic, expect the transfer rate for the file transfer to be slower than the iperf value. Calculate the theoretical TCP throughput to know the theoretical bandwidth of the connection: https://www.switch.ch/network/tools/tcp_throughput/. If file transfer performance is very low, verify that you are not affected by issues with TCP receive windows scaling on Microsoft Windows. A quick search will offer troubleshooting steps and solutions for this problem. Collect Additional System Information Collect the following information from both firewalls. Log in to the firewall via SSH Copy the performance output for the firewall kernel module: cat /proc/phion/ktina_prof 8 / 10

Copy the output from the VPN kernel module cat /proc/phion/acpf_prof 4. ktina_prof output acpf_prof output 9 / 10

Figures 10 / 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback