PPTP performance problems with Outlook/Exchange

jlemons · April 29, 2011, 1:40am

We have a T1 at an outer office where we just replaced an older PIX with an RB450G (4.17) that connects to a RB1000 (4.17) at another office through PPTP. No traffic shaping or anything fancy yet, just the tunnel. I tested speed with a file transfer between a server at each location. With the default-encryption profile enabled and the default MTU (1460) I was seeing 30-50KB/s. With either encryption disabled or the MTU at 1300 (or with both) I was able to almost max out the T1 at about 175KB/s. CPU never breaks single digits on either end. In all cases above, Outlook from the outer office to Exchange at the main office crawls along in fits and spurts maxing out at about 20-30KB/s but mostly not doing much. With the configuration that gives me fast file transfers, I can RD into desktops, SSH into servers, transfer files, surf the web, and even VoIP over the tunnel and outside the tunnel works fine. I replaced the PPTP tunnel with and EoIP tunnel and Outlook now just about maxes out the T1. File transfers and everything else are just as fast. What am I doing wrong?

jlemons · May 4, 2011, 9:16pm

Anybody? Beuler? Beuler? Beuler?

If I slurp up some packets is there anything specific I should be looking for to find the cause of the slowness?

glucz · May 5, 2011, 7:37am

This may not be your solution … but I try to avoid TCP tunnels (PPTP) whenever possible. TCP traffic (like SMTP) inside a TCP tunnel goes through double congestion control and one can affect the other.
http://www.docstoc.com/docs/37194256/Understanding-TCP-over-TCP-Effects-of-TCP-Tunneling-on

So your voip (UDP) or short TCP sessions could be fine inside the TCP tunnel, but long TCP sessions could build up enough errors to slow down to a crawl overtime. You can test this by restarting the mail service and see if the immediate speed is better and whether it degrades overtime.

The low MTU requirement suggests that you already have some overhead on the T1. I don’t know much about T1, but if the underlying ISP protocol is also PPTP, then you may have TCP inside TCP inside TCP … but again, this could be wrong.

Use L2TP for your tunnel.

GL

enk · May 5, 2011, 10:22am

Personally I think you have an MTU problem. Try to adjust your TCP MSS like this:

/ip firewall mangle
add action=change-mss chain=forward disabled=no new-mss=1420 protocol=tcp \
    tcp-flags=syn

jlemons · May 16, 2011, 1:26pm

Thanks for the feedback!

I haven’t had a chance to test these options, but as soon as I do I’ll update this post with the results. If it works, it might help others, and if it doesn’t maybe it will help stimulate further discussion.

jlemons · July 6, 2011, 3:25pm

I’ve tested l2tp on a few links and it appears to have resolved the problem. Thanks for all the help!