Why my GlobalProtect SSL VPN gives about 4Mbps speed upload and download on my Verizon 200Mbps speed?
I have PA-220 in which GP is configured just standard configs but when I check the speed, it is significantly low as 4Mbps, it is known that SSL VPN does give lower upload and download throughput but this low is concerning and seeking best practices to tune it up.
Make the switch to ipsec it really helped my company in a similar situation for a few users.
Can you please provide some architecture details.
You are sure you arent somthing 300 down 10 up from your isp?
Where are you connecting from? How are you defining the upload?
Are you on an inside interface connected via Globalprotect and uploading to an outside on the internet host?
Decrypt enabled?
How fast is this without GP?
What are you uploading? I suggest you use a single large file like a an iso image.
What security profiles do you have enabled on the following?
VLAN Layer 2 interface
Layer 3 interface for that VLAN
WAN/ISP interface, vlan etc.
If your connection to Verizon is asynchronous, that it’s not 200Mbps both up and down, and instead it’s 200Mbps down and like 10mbps up, then:
You will only have a 10mbit upload from the 220 end, which means your only going to get a 10mbit (max) download on the client.
Which means you can only ever get really 10mbit max throughput.
Since these types of asynchronous connections are also shared bandwidth, 4mbit doesn’t sound out of reach.
Welcome to the club. It is EXTREMELY all over the place for speeds, internet and intranet will both wildly differ between users and times. Sometimes I get 60 down, sometimes I get 6…
One thing you might want to try is playing with the MTU setting on the tunnel interface. I had always left mine on auto and while it was supposed to adjust for the encapsulation, I found that IPsec traffic ended up fragmenting like crazy and my internal resource speeds would be like 2mbits. I changed the MTU on the tunnel to 1300 and instantly went from 2 to 6 mbits for internal (my upload is 5mbits max so this made sense), and I was getting 40mbits on faster connections.
Internet (speedtest) did not seem to make a difference though, but something to explore. There is a palo doc on adjusting the MTU manually as well which is where I got the original idea from.
This can happen for several reasons, as a few others have said, I would look at MTU, a long with Internet Exchange peerings. I have a PA VM-300 in Azure US East, and a PA-5220 in New York multiple 1gb connections running ECMP. These 1gb connections run in a GRE tunnel to a CDN for DDOS protection. We run a lower MTU on our internet connections due to the GRE overhead, we keep tunnel interfaces around 1305. In azure I think we have them around 1360 (can’t remember off the top of my head).
Going to a speedtest from my home ISP. I’ll do one test o Ashburn (To mimic Azure Connection) and I get around 98% of my speed when when connected to Global Protect in Azure. I’ll do another speed test to NYC, to mimic to 5220, when connected to the 5220 I get around ~65% of my speeds when connected to Global Protect in NYC.
The other thing I would say is set a baseline without globalprotect. For example host an iperf3 server with NAT / PAT, then from your home do a tcp iperf test, in order to establish a baseline, of ‘unencapsulated’ stream.
Had same problem but this was ip v6 only. With ip v4 no problem. Did not yet figure out why. Tried some mtu adjustments.
I had the same issue, and called support and they fixed it. We had a port being blocked that was causing issues over the vpn. After we made a few rule adjustments I went from 3-5 Mbps to about 60 Mbps.
I would get with support, but I’ll see if I can find our old ticket and give some more detail.
GP is configured on Layer 3 loopback interface with no security profile attached.
From the ISP I always get 150Mbps upload and download speed in many scenarios. I use iperf as well as three SpeedTest sites to gauge the average speed. Three friends connected from their home’s wired connection to my GP SSL VPN. I have enabled IPSec also on my GP just to receive higher speed (hopefully). Yes, once GP is connected it is on the Inside Zone and applies no security profiles at all and Inside to Untrust allow any any. No Decrypt enabled and without GP, it is above 150Mbps all the time. The most basic Layer 3 config as documented on the Palo’s home use PA-200 config that I followed.
Verizon ISP => eth1/1 (DHCP client public IP) => VLAN Object Layer 3 => All other ports Layer 2 for LAN devices directly connected.
I do not believe my Verizon ISP connection is asynchronous. I run into no performance issues with PA-220 in all other non-VPN usages. While Firewalling with all security profiles enabled, the Wired and wireless throughput for all kinds of devices at home is great.
I checked PA-220 data-sheet and specs-sheet, I do not find 10Mbps max limit for GlobalProtect VPN. I wonder how much Cisco AnyConnect gives in ASA5506X in the ISP bandwidth of 100Mbps. Or GP compared to all other SSL VPN products out there. Looking for how others are getting the speed on their GP at home.
There is a 10 hour delay fetching comments.
I will be messaging you in 14 hours on 2020-04-14 12:19:51 UTC to remind you of this link
CLICK THIS LINK to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) ^(delete this message to hide from others.)
I am ready to open the security rule to say “Allow from Any to Any with no Security profiles attached.” I shall check the speed after this. Appreciate it.
Could you tell what changes do you make? Any tips?
Hey, sorry for the delay. I looked up our case. The change we made was allowing inbound udp/4501 from inside/outside to our VPN zone.
This is it. Yep. After allowing inbound Untrust to VPN zone to UDP4501, my new speed it well-above 15Mbps. Much appreciated!
Awesome! Glad it helped out.
can you please explain how to do those settings on Mac OS? I am experiencing similar low connection speeds through Global Protect in mobile 4g network
Hey, were you able to solve this?