[BBLISA] Odd Latency issues over VPN
Nick Cammorato
nick.cammorato at gmail.com
Fri Jan 24 12:54:39 EST 2014
Not that I'm seeing. Normal looking window sizes(to me), no packet loss
that I can see. I'll send along a set of captures from the tap.
On Fri, Jan 24, 2014 at 12:01 PM, Matt Simmons <bandman at gmail.com> wrote:
> When you tcpdump, are you seeing any chicanery with the TCP window size? I
> assume you would have mentioned things like retransmitted packets and so
> on. No packet loss?
>
> --Matt
>
>
> On Fri, Jan 24, 2014 at 11:57 AM, Nick Cammorato <nick.cammorato at gmail.com
> > wrote:
>
>> Hi everyone,
>>
>> I thought someone here might have some ideas, because I'm currently
>> stumped. For some background: I recently consolidated all of our "inside"
>> layer 3 onto our Juniper SRX 1400. Prior to this everything was scattered
>> across a few different devices with some point to point links. For the
>> most part, everything works as expected - pretty well. The exception being
>> why I'm mailing the list - VPN connections(via our ASA) to our internal
>> instances of atlassian confluence are suddenly excruciatingly slow.
>>
>> We have 2 confluence instances: a development/test instance and a
>> production instance, each of which live on a different VLAN/has a different
>> gateway. The exhbited behavior is: page loads of up to 30-40 seconds,
>> almost all most of which is a single batched ajax JS load - which is about
>> 300 -> 500kb or so and loads at a rate of 10kbps. This is new behavior.
>>
>> Traffic not over VPN is perfectly normal.
>>
>> Current topography looks as follows:
>> ASA(inside) --> SRX (ge-x/x/x.0)
>> Clients -(Ge)-> Client Distribution Switch --(2XGe VPC)--> Nexus Switches
>> --(2XGe VPC)--> SRX(ae0.1)
>> Confluence1 -(Ge)-> Distribution Switch --(2XGe VPC)--> Nexus Switches
>> --(2XGe VPC)--> SRX(ae0.2)
>> Confluence2 -(Ge)-> Distribution Switch --(2XGe VPC)--> Nexus Switches
>> --(2XGe VPC)--> SRX(ae0.3)
>>
>> And I've tested the following:
>> - The ASA was at one point cabled off the Client Distribution Switch with
>> the vlan dwelling on the agg interface, moving it had no effect.
>> - I've monitored traffic via an inline tap, tcpdumps at both ends, and a
>> tcpdump on the router itself looking for fragmentation, out of sequence
>> packets, etc. and seen nothing.
>> - I've done the above looking for DNS traffic to see if maybe there is an
>> nslookup issue somewhere, and nada.
>> - iperf shows normal bandwidth to the confluence servers themselves -
>> 10mbps or so from home.
>> - There don't appear to be any autonegotiation issues.
>> - No errors on any involved interface.
>> - No errors in apache, confluence or tomcat logs, regardless of log level.
>> - Software version of confluence has no effect.
>>
>> Now here's an odd thing, if I do a curl on one of the slowly loading
>> scripts, in isolation it loads at 10kbps or so - this is repeatable too,
>> daisy chain 10 loads of the same script and they will all load at 10kbps.
>> If I fork and run the curl twice or more in parallel, however, it loads
>> instantly.
>>
>> Anyone have any ideas before I start opening TAC/JTAC cases?
>>
>> Thanks,
>> --Nick
>>
>>
>> _______________________________________________
>> bblisa mailing list
>> bblisa at bblisa.org
>> http://www.bblisa.org/mailman/listinfo/bblisa
>>
>
>
>
> --
> "Today, vegetables... Tomorrow, the world!"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bblisa.org/pipermail/bblisa/attachments/20140124/b24de7af/attachment.html>
More information about the bblisa
mailing list