slow between branch oficce and head office

[maiconlp]

Hello Everyone,

I'm with slow problem in my VPN network. I have an openvpn server in my head office and one client in my branch office both in Linux Red Hat Enterprise 5.5.

the slow problem occur when the users access from inside network branch to inside network head office by WTS ( Remote Desktop ).

anybody have ever had one case similar this ?? can openvpn generate any slow type ?

thank!

[maikcat]

hi there,

please post configs and more details about your setup.

Michael

[maiconlp]

Thank for your return....

as I've said above my problem it's a bit strange....

I have two local networks in my head office: one users VLAN and other servers VLAN both hold by Switch Core Cisco 4000.

the data flow from my branch office passes by openvpn Tunnel and it's forward to my Cisco switch core.

when the traffic is to VLAN x.y.z.t/16 ( users VLAN ) all it's work! but when is to a.b.c.d/24 ( servers VLAN ) occur slow!

the users access the servers by Remote Desktop WTS port TCP 3389.

any tip ??


thank!

[janjust]

"slow" RDP performance is most often caused by a MTU mismatch; you can work around most MTU mismatches on your network using

Code: Select all

fragment 1400
mssfix

(in udp mode); what happens if you add these options to both end of your tunnel?

[maiconlp]

I've just included fragment 1400 and mssfix in both files .conf

I have done tests and neither ping more. ping from my branch office to my VLAN users keeps that's ok but to my VLAN servers has stopped ping.

when I return ( delete both parameters from files ) all come back as before.

I think that the move has had any effect on openvpn Tunnel but I dont what....

more any tip ?!?!

thank you.

[janjust]

let me get this straight: with 'fragment 1400' added to both client and server configs the pings to the users VLAN still works, but pings to the server VLAN stop: right?

There is something *very* funny going on on the Cisco 4000 : how are the VLANs defined? are different MTU settings applied to each VLAN?

What happens if you lower the 'fragment' parameter to something like 1000 (for testing purposes only) ? Is it possible for you to monitor the flow of packets on the switch? elsewhere on the LANs (e.g. using tcpdump/wireshark) ?

[maiconlp]

Yes! stop it's work only Servers VLAN.

I will make new test as your suggestion.

but only a question: when I insert at in files the parameter "fragment" I'm say to OpenVPN Tunnel to fragment packages which the size is more than 1400 right?? and mssfix what it do??

thank!

[janjust]

'mssfix' sets an upperbound on the TCP Maximum Segment Size , which is a TCP tuning feature that is passed onto the kernel level.

The main difference between the users LAN and the server LAN is qos - is it possible to disable qos on the server lan as well and see if that solves it?
OpenVPN itself is currently not qos aware, but as you're using 'tun' I would not have expected any problems there; in 'tap' mode it might have been different....

Another thing to try is to add

Code: Select all

passtos

to the server configuration , provided that it's Linux/BSD based.

[maiconlp]

Hi, sorry for my late to go on answering....but I'm other problems.

what I have done was create a new VLAN in my switch core and insert it in VPN tunnel.
I've put one server those VLAN and I've asked for my Branch office users connect to.

strange but its working!!!! the performance on RDP it's better in the new VLAN~.

the time is more in old vlan than new . I will go on doing tests


thank!