Forum Discussion

kishanw_51248's avatar
kishanw_51248
Icon for Nimbostratus rankNimbostratus
Dec 08, 2015

Maximum throughput on a F5 SSL VPN session

Hi Everyone,

 

I have a question on the maximum throughput on a SSL VPN session.

 

We have a F5 8900 with APM on our internal LAN. This connects with 2 x 10G links to our core router. There is also a NetApp storage controller connected to the core router with 4 x 10G links. We have a solution where a user (on a Desktop) would establish a SSL VPN session to the APM. The APM checks credentials and allows access to secure Data on the NetApp. Split tunneling is allowed.

 

When the user does a standard file copy from NetApp share to his desktop (via the tunnel with separate gateway), the maximum speed he get is 5 - 6 Mbytes/s. However if he copies a file from the Same NetApp to his desktop (via the LAN - different gateway) he gets close the 200 MBytes/s.

 

My question is, is there a data throughput limit on the F5 for SSL VPN sessions? We tried editing the

 

Network Access - Network Settings - Client Interface Speed and set it to 1Gbps (default is 100 Mbps) but it did not seem to result in any improvement. There whole environment is connected via 10G and this slow transfer speed is really puzzling. Has anyone any ideas or advice on this? We are running v11.5

 

1 Reply

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    Single stream TCP throughput is highly dependent on latency and TCP parameters. Try a simple ping test to see what the latency is. With low latency and the recommended settings, the SSLVPN speed should be within about 50% of whatever the link speed is.

     

    To optimize it, generally we recommend:

     

    1. Use DTLS instead of TLS (don't forget to create the 4433 UDP virtual).
    2. Tune your clientside and serverside TCP parameters, using WAN and LAN optimized TCP on the virtual server.
    3. For SMB networking, make sure you use a SMB2 filer. SMB1 makes lots of little partial requests.
    4. For NetApp specifically (and probably other SMB too), make sure that you've disabled SNAT on the Network Access settings (not the vs, we're talking about the Network Access settings). It seems that NetApp is more sensitive to situations where the client is NATted, at least from our experience with support cases.