CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Slow SSL VPN Reason

  1. #1
    Join Date
    2017-09-21
    Posts
    22
    Rep Power
    0

    Default Slow SSL VPN Reason

    If you are experiencing slow rdp connection when connected to vpn to the point of being unusable. However if they connect rdp over the internet without the vpn its fine.

    What could be possible issues?

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    121
    Rep Power
    11

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by jessica View Post
    If you are experiencing slow rdp connection when connected to vpn to the point of being unusable. However if they connect rdp over the internet without the vpn its fine.

    What could be possible issues?
    Could be a number of things. In my experience with Connectra (the previous name of Mobile Access), its performance is more than one order of magnitude lower than an IPSec VPN. You may want to try with an IPSec client (Check Point's is called Endpoint Security VPN) or an L2TP-over-IPSec client (most operating systems have one built in). If those perform well, then you know the performance issue is limited to the SSL VPN functionality.
    Zimmie

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    645
    Rep Power
    5

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by Bob_Zimmerman View Post
    Could be a number of things. In my experience with Connectra (the previous name of Mobile Access), its performance is more than one order of magnitude lower than an IPSec VPN. You may want to try with an IPSec client (Check Point's is called Endpoint Security VPN) or an L2TP-over-IPSec client (most operating systems have one built in). If those perform well, then you know the performance issue is limited to the SSL VPN functionality.
    Why is that? Is it because of the Software client or Hardware poor performance/optimization on SSL tunneling?

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    121
    Rep Power
    11

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by laf_c View Post
    Why is that? Is it because of the Software client or Hardware poor performance/optimization on SSL tunneling?
    I don't really know. I just remember a Power-1 9070 handling 50,000 simultaneous connected users with no problem, while the Connectra version (I forget the name, but it was a 9070) tipped over after about 500 users connected.

    This was in the R65 to R70 days, so the situation may be better now. I have tried many "SSL VPN" products (F5, Pulse, Citrix, and others) since then, and none of them gave even remotely acceptable performance. I'd typically get around 3-5 MB/s while an IPSec tunnel over the same Internet connection to my much older firewalls gives 50 MB/s.
    Zimmie

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,102
    Rep Power
    12

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by Bob_Zimmerman View Post
    I don't really know. I just remember a Power-1 9070 handling 50,000 simultaneous connected users with no problem, while the Connectra version (I forget the name, but it was a 9070) tipped over after about 500 users connected.

    This was in the R65 to R70 days, so the situation may be better now. I have tried many "SSL VPN" products (F5, Pulse, Citrix, and others) since then, and none of them gave even remotely acceptable performance. I'd typically get around 3-5 MB/s while an IPSec tunnel over the same Internet connection to my much older firewalls gives 50 MB/s.
    The situation is much better now due to Multicore SSL which was introduced in R77.20, and multicore IPSec VPN introduced in R80.10. Prior to these features only one Firewall Worker core (CoreXL kernel instance) could handle all VPN traffic unless it was accelerated by SecureXL.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    121
    Rep Power
    11

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by ShadowPeak.com View Post
    The situation is much better now due to Multicore SSL which was introduced in R77.20, and multicore IPSec VPN introduced in R80.10. Prior to these features only one Firewall Worker core (CoreXL kernel instance) could handle all VPN traffic unless it was accelerated by SecureXL.
    That would affect IPSec and SSL VPN equally, wouldn't it? The SSL VPN has always performed at a tiny, tiny fraction of the level of IPSec for me. Low throughput, and high resource consumption (leading to low user limits).
    Zimmie

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,102
    Rep Power
    12

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by Bob_Zimmerman View Post
    That would affect IPSec and SSL VPN equally, wouldn't it? The SSL VPN has always performed at a tiny, tiny fraction of the level of IPSec for me. Low throughput, and high resource consumption (leading to low user limits).
    Sort of, IPSec VPNs can potentially be handled by SecureXL in the Accelerated Path while SSL cannot which may have accounted for some of the discrepancy you observed. Also SSL imposes an additional level of CPU and packet size overhead by using TCP in the outer header, with the protocol tunneled inside also probably using TCP. IPSec is kind of like UDP in that it does not incur that extra overhead of TCP and assumes the tunneled protocol will handle any lost or out of order frames on its own.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    121
    Rep Power
    11

    Default Re: Slow SSL VPN Reason

    Quote Originally Posted by ShadowPeak.com View Post
    Sort of, IPSec VPNs can potentially be handled by SecureXL in the Accelerated Path while SSL cannot which may have accounted for some of the discrepancy you observed. Also SSL imposes an additional level of CPU and packet size overhead by using TCP in the outer header, with the protocol tunneled inside also probably using TCP. IPSec is kind of like UDP in that it does not incur that extra overhead of TCP and assumes the tunneled protocol will handle any lost or out of order frames on its own.
    Well yes, there’s more overhead with SSL than IPSec. I mean they would be affected to roughly the same degree. There wouldn’t be a 2x performance increase to one and a 20x increase to the other.
    Zimmie

Similar Threads

  1. dropped by vpn_encrypt_chain Reason: no reason
    By crosspopz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2013-12-03, 11:07
  2. UTM-1 rejects connections without reason
    By chrullrich in forum Miscellaneous
    Replies: 5
    Last Post: 2010-06-25, 15:25
  3. H.323 reason: Malformed H.245 message
    By dsundar in forum Voice over IP Blade (VoIP)
    Replies: 2
    Last Post: 2009-04-06, 10:15
  4. H.323 reason: Malformed H.225 message
    By Titam in forum Voice over IP Blade (VoIP)
    Replies: 14
    Last Post: 2007-11-27, 06:42
  5. Is there any reason to change the hello interval?
    By Valefor in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2007-09-24, 09:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •