[BBLISA] Odd Latency issues over VPN

Matt Simmons bandman at gmail.com
Fri Jan 24 12:01:19 EST 2014 

When you tcpdump, are you seeing any chicanery with the TCP window size? I
assume you would have mentioned things like retransmitted packets and so
on. No packet loss?

--Matt


On Fri, Jan 24, 2014 at 11:57 AM, Nick Cammorato
<nick.cammorato at gmail.com>wrote:

> Hi everyone,
>
> I thought someone here might have some ideas, because I'm currently
> stumped.  For some background: I recently consolidated all of our "inside"
> layer 3 onto our Juniper SRX 1400. Prior to this everything was scattered
> across a few different devices with some point to point links.  For the
> most part, everything works as expected - pretty well.  The exception being
> why I'm mailing the list - VPN connections(via our ASA) to our internal
> instances of atlassian confluence are suddenly excruciatingly slow.
>
> We have 2 confluence instances: a development/test instance and a
> production instance, each of which live on a different VLAN/has a different
> gateway.  The exhbited behavior is: page loads of up to 30-40 seconds,
> almost all most of which is a single batched ajax JS load - which is about
> 300 -> 500kb or so and loads at a rate of 10kbps.  This is new behavior.
>
> Traffic not over VPN is perfectly normal.
>
> Current topography looks as follows:
> ASA(inside) --> SRX (ge-x/x/x.0)
> Clients -(Ge)-> Client Distribution Switch --(2XGe VPC)--> Nexus Switches
> --(2XGe VPC)--> SRX(ae0.1)
> Confluence1 -(Ge)->  Distribution Switch --(2XGe VPC)--> Nexus Switches
> --(2XGe VPC)--> SRX(ae0.2)
> Confluence2 -(Ge)->  Distribution Switch --(2XGe VPC)--> Nexus Switches
> --(2XGe VPC)--> SRX(ae0.3)
>
> And I've tested the following:
> - The ASA was at one point cabled off the Client Distribution Switch with
> the vlan dwelling on the agg interface, moving it had no effect.
> - I've monitored traffic via an inline tap, tcpdumps at both ends, and a
> tcpdump on the router itself looking for fragmentation, out of sequence
> packets, etc. and seen nothing.
> - I've done the above looking for DNS traffic to see if maybe there is an
> nslookup issue somewhere, and nada.
> - iperf shows normal bandwidth to the confluence servers themselves -
> 10mbps or so from home.
> - There don't appear to be any autonegotiation issues.
> - No errors on any involved interface.
> - No errors in apache, confluence or tomcat logs, regardless of log level.
> - Software version of confluence has no effect.
>
> Now here's an odd thing, if I do a curl on one of the slowly loading
> scripts, in isolation it loads at 10kbps or so - this is repeatable too,
> daisy chain 10 loads of the same script and they will all load at 10kbps.
>  If I fork and run the curl twice or more in parallel, however, it loads
> instantly.
>
> Anyone have any ideas before I start opening TAC/JTAC cases?
>
> Thanks,
> --Nick
>
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>



-- 
"Today, vegetables... Tomorrow, the world!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20140124/f3a00fc9/attachment.html>

More information about the bblisa mailing list