Troubleshooting VPN slowness - A look at MTU

Troubleshooting transmission slowness and packet retransmits could be a puzzling task, especially when it's over an IPsec tunnel.

Last week I had the opportunity to troubleshoot a problem with slow website loading times on a webserver across the link. It was difficult to troubleshoot as the site would appear intermittently and was slow to load. A ping or a telnet to the server on the side returned packets swiftly without any issues. I verified that the tunnel was up and was transmitting without any problems. Where could the problem be?

With a simple wireshark capture I found out that retransmissions were occuring very frequently. This was when I found out the packets were fragmented quite a bit and realized that the VPN concentrator had been set with a very small MTU. This was nasty, as it had almost been intentionally tampered with to create an effect of slowness. Such transmission slowness is extremely difficult to troubleshoot as there was no issue with the connectivity itself.

Here's a link with a detailed explanation on how MTU affects performance.

100Mb Half Duplex problem between Cisco switch and Linux system

Today I ran into a weird scenario where a Linux system's NIC would set itself to 100Mbit half duplex regardless whether the device and NIC was manually configured to operated at full duplex. After trolling through Cisco's website

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800a7af0.shtml

I found out that the problem usually relies on the NIC. Despite both the switch and NIC have been manually set to 100 Full duplex, there is often times when the NIC still runs auto-negotiation in the background. To resolve this problem, I had to manually set the NIC to turn off auto negotiation. Once that was done. The problem went away.