# Test VPN speed



## stuarta (May 3, 2006)

Is there a way that I can easily test the upload speed of my VPN link in order to monitor it.

More and more people are connecting from other offices and I want to try and test the speed.

On my web link I tend to use speedtest, but obviously not so straight forward I guess on the VPN one.

Thanks


----------



## O111111O (Aug 27, 2005)

Is this PPTP, IPSEC...? 
What kind of device is terminating VPN?
What type of potential bandwidth are we talking?

THe quick and dirty answer is IPERF. http://dast.nlanr.net/Projects/Iperf/

Download IPERF (linux src, etc or Windows binaries)

Select a "server" this is something on one side of VPN
iperf -s

Select a "client" this can be your system or something on remote side.
iperf -c x.x.x.x

Quick and dirty that'll test with TCP. Read the manual an you can select other options.

Iperf has the ability to push more than 99% of the users of this board can send/receive. So it will give you a decent benchmark.


----------



## jmwills (Sep 28, 2005)

The speed is going to vary deoending on which ISP the clients are using and I think you can figure in about 20% overhead for the connection itself.


----------



## stuarta (May 3, 2006)

Sorry just got iperf down, but can't get it to work.

I've tried iperf -s (name of server on other end of vpn) and with -c (my ip address) but I get network is down error messages


----------



## Bob Cerelli (Nov 3, 2002)

If that doesn't work, and if just a rough estimate is good enough, try simply doing something like copying a 1 meg file and time it.


----------



## O111111O (Aug 27, 2005)

stuarta said:


> Sorry just got iperf down, but can't get it to work.
> 
> I've tried iperf -s (name of server on other end of vpn) and with -c (my ip address) but I get network is down error messages


.....

Make sure your VPN is up first.

http://dast.nlanr.net/Projects/Iperf/
http://dast.nlanr.net/Projects/Iperf/iperfdocs_1.7.0.html

Server side:
$ iperf -s -V

Client: 
$ iperf -c <server address> -I <<< The server IP should be THE PRIVATE IP INSIDE THE VPN.

This will test base TCP performance inside the tunnel.

Read through the second link. Forcing to UDP mode will allow you to brute force your connection and see what you can possibly shovel through it.


----------



## stuarta (May 3, 2006)

okay just ran that, going from our main office as the client ad the server in the office that has the problem, I got 144KBytes transferred at 102Kbits/sec bandwidth. How does that sound?


----------



## O111111O (Aug 27, 2005)

Ok..... Well. You never mentioned a problem in original post.

102kbits/sec is about ISDN speed.

What size pipe?
What's the latency?

What's the issue?


----------



## stuarta (May 3, 2006)

Well yes sorry, I'm getting users complaining of slow speeds. Mentioned it before, but here is the brief. Head office in Exeter, remote office in Yeovil and Plymouth. Both remote offices run software off one of our Exeter ones via TS. I ran this test yesterday with Yeovil as the iperf server and my laptop here in Exeter as the client and got those speeds. This morning I got 360 transferred at 289 bandwidth. Reversed I got 216 and 155. 

The broadband connection in Yeovil is running between 3-4mb and 3mb in Exeter. Online status's from the router page are 832000 Up and 2432000 Down in Exeter and 448000 Up and 4544000 Down in Yeovil.

Problem is that extra users have been added, which I'm assuming therefore has diminished the connection and I'm about to add a 3rd site into the equation.

We've had various people in with the options of Citrix, and bonding extra lines together in our Exeter office through a Wan box before going into our ISA box. and staying with TS. At the moment the VPN is going straight into our switch. Again I'm assuming that the issue is on our Exeter upload speed due to volume of people connecting in?

On a side not, something which I think has nothing to do with those speeds, our web link in Exeter slows down considerably over the course of the day. I can get download speeds of 300k in the morning, but 30k in the afternoon. Web browsing should be down to a minimum courtesy of the ISA box, but then someone must be doing something.

Sorry for the long post, just really hope you guys can help, constantly got the manager in Yeovil shouting because of the bad connection, but no-one can seem to pinpoint the problem and come up with a sensible solution.

Thanks


----------



## O111111O (Aug 27, 2005)

Ok. Bandwidth really isn't the MAJOR concern at this point, but is one of them.

1] By TS I assume you mean Windows TS?
2] How many users total connect to Exeter?
3] How many users in Exeter?
4] Are remote offices VPN via PPTP/IPSEC, or just TCP 3389 over Internet?
5] Can you get protocol report in ISA (I'm not an ISA guy... We did some extensive testing for customers and deemed it not suitable for HA)
6] What is your bandwidth at each location? I see you posted up/down, but I'm thinking you mean that as current throughput.

Just to summarize, what it sounds like is that you really need QOS. The issue with TS/Citrix traffic is that it's really latent sensitive. If you have normally bursty traffic it can create severe jitter which translates to poor screenpaint performance for your users. Of course, bandwidth is also a concern but there are some other factors that we want to consider. VPN is one of them. TS/Citrix/VOIP packets are all fairly fixed length SMALL payload packets. Many crypto platforms base their performance on encrypting "N" packets per second through a processor. "N" is almost always based on 1500 byte packets so one of the possibilities is that you're simply stomping what's providing your VPN. (Assuming that you're doing this via VPN)

Last but not least. If you can't get stats from your ISA box, let's look at your routers. Maybe we can gather some base stats to figure out what that majority of your traffic is.


----------



## stuarta (May 3, 2006)

Thanks O111111O, I appreciate your help. I'll try and answer these questions as best as I can.

1] Yep Windows Terminal Services
2] I have about 6 connecting from Yeovil at any one time and about 3 from Plymouth
3] Probably got about about 20 people connected to that server in Exeter at any one time
4] The connection type on the router in Yeovil is showing as PPTP/MPPE
5] Unsure about the protocol report in ISA. I have some connectivity verfiers setup to the other offices. They are currently sat at 125 and 109msecs although I had an alert to say that it had gone over the threshold of 500msec and lost connection at 01:20 Friday morning, when no-one would of been working.
6] Sorry unsure how to measure the bandwidth. Again looking at the router in Yeovil (all VPN routers are Draytek Vigor 2600's, the diagnostic tools I can run are as follows

ISDN/PPPoE/PPPoA Diagnostics
Triggered dial out packet header
View routing table
View ARP cache
View DHCP assigned IP addresses
View NAT Port Redirection Running Table
View NAT Active Sessions Table
ADSL Spectrum Analysis

I have spoken to our ISP as my general web speed in our Exeter office (which is a seperate line to the VPN) is suffering from download speeds. In the morning I can get 300k but by mid morning that drops to 30k, with no unusual bandwidth being used through ISA. They have mentioned they are suffering from slow ADSL speeds at the moment and their engineers are working on it. They told me all of our lines are affected, although the Yeovil one was synching at 1.5mb and seemed ok, they think some of the problem could be them.

Obviously I can't wait for them as they can't give me a date of when they will fix it, but I need to try and find some solution, before it cripples us.

Thanks again


----------



## O111111O (Aug 27, 2005)

SDN/PPPoE/PPPoA Diagnostics (probably sub menus)
View NAT Active Sessions Table
ADSL Spectrum Analysis

Do those. Post results of PPPoE/oA diags, and ADSL spec.

Don't need to post NAT active sessions, just look for a HUGE amount of NAT entries.


Honestly, ADSL... If this is mission critical for you start looking at alternate means. You want a couple of bonded E1's for Exeter at a minimum.


----------



## stuarta (May 3, 2006)

Just took the following screenshots for you.

*Exeter*


















*Yeovil*

















There were more NAT sessions but they cleared just as I took the screenshot.

The PPP diagnostics don't show anything other than the external IP address and that the ISDN link is down

These were taken at 08:45 when it should been quiet


----------



## O111111O (Aug 27, 2005)

Ok. Well, there's a baseline.

You need to do that when it's busy / you have issues.


----------



## stuarta (May 3, 2006)

Ok, here are the two ADSL Spectrum results taken at lunchtime. The NAT sessions were blank

*Exeter*









*Yeovil*


----------



## O111111O (Aug 27, 2005)

Ok.

It's not a localized ADSL issue. Both of the bins show a decent SNR both upstream and downstream. During your "peak" the SNR doesn't change.

So, layer1/2 is taken care of to a certain extent. This means what you need to look at is latency/jitter over time.

Also, back to the VPN thing. Nowhere am I seeing where your TS traffic is encapsulated in a VPN? Did I miss that?


----------



## stuarta (May 3, 2006)

Ok so it's not really being effected during the day on that line, but must admit it did seem better yesterday. I was 'vnc'd' into a couple of their pc's in Yeovil and it seemed to be responded quite well.

Call me thick, but what do you mean by couldn't see it encapsulated in a VPN.

Basically in Exeter, we have our one line for Web gong through one modem, and then another line going into our VPN router. This router has the permanent connections for the two office setup in it. 

What's your advice for the future? We are still looking at adding duplicate ADSL lines and bonding them to the existing one, and then maybe splitting Plymouth and Yeovil onto seperate lines, but then assume that we need some form of box to accept the multiple lines and feed them into our ISA box rather than our main switch.

I really appreciate all your help.


----------



## O111111O (Aug 27, 2005)

stuarta said:


> Ok so it's not really being effected during the day on that line, but must admit it did seem better yesterday. I was 'vnc'd' into a couple of their pc's in Yeovil and it seemed to be responded quite well.


Well, look at the DSL bins when you do have issues to see if any of those numbers are lower.



stuarta said:


> Call me thick, but what do you mean by couldn't see it encapsulated in a VPN.


Well, out of all of the menu options you noted I saw no mention of VPN. Not a huge deal. Didn't know if something else was doing the VPN for you.



stuarta said:


> Basically in Exeter, we have our one line for Web gong through one modem, and then another line going into our VPN router. This router has the permanent connections for the two office setup in it.


Ok. So, are you showing me stats from your VPN router?



stuarta said:


> What's your advice for the future? We are still looking at adding duplicate ADSL lines and bonding them to the existing one, and then maybe splitting Plymouth and Yeovil onto seperate lines, but then assume that we need some form of box to accept the multiple lines and feed them into our ISA box rather than our main switch.


Yeah...... Unless there's something that the right hand drive folks can do over there, you're not going to have much luck "bonding" ADSL lines together.

Is TS traffic the only thing you use your VPN for? Do you print to remote printers, share files, anything else?

Honestly, you would probably be best served by looking at something other than ADSL for Exeter. ADSL is just that, it's bandwidth is assymetric. This means that Exeter's upload speed is signifigantly lower than it's download speed. Also, there's very little that can be done to ensure QOS or low latency queuing across an ADSL connection. 
As I'm assuming that all of these ADSL connections are "Internet", what's the delta in cost for alternate access methods for Exeter? I would look into bonding a couple of E1's, maybe something delivered via Metro Ethernet.


----------



## stuarta (May 3, 2006)

Yes that is the stats from the VPN router, it's actually a Draytek Vigor 2600 if that helps.T

There are instances of remote printing as far as when Yeovil dial into Exeter, they will print back to their printer via a printer installed on the Exeter server with the direct IP address. We have a CAD guy based in Exeter who may sometimes copy drawings across the servers and maybe sit in Exeter but print to the Yeovil plotter, but we now have a CAD guy up there and that shouldn't happen.

I've just found out that the bosses son has upgraded the Yeovil line from the standard upto 8mb down and 448kb up to 8mb down and 832kb up but I'm not thinking that will make a difference.

Only cost effective means I can see at the moment would be SDSL or I think we can change the contention ratio on our exisiting, but again, not sure if this will have any effects.

Thanks again


----------



## O111111O (Aug 27, 2005)

Well. One of the things you may want to do is start graphing bandwidth usage.

There are a ton of SNMP utils that'll graph inf/outoctects for a given interface. 
This will at least give you some empirical evidence to see if bandwidth usage is related to your performance issue.


----------



## stuarta (May 3, 2006)

ok thank you for all your help in this matter. I guess at the moment all I can really do is monitor the situation and try to improve the lines when possible.


----------

