VPN site-2-site jitter

secathor · July 3, 2015, 12:40pm

Hi friends !

I since yesterday, I got trouble with an VPN site-2-site, I have jitter.

Site A : CCR1036-12G-4S, internet 200Mbps
Site B: RB951G-2HnD, internet 12Mbps

I currently use SSTP, and you can see on the picture the first (left picture) ping window are from site A to site B public IP
You can see it, it’s stable

Second (middle) ping window is the VPN IP and the last (right) ping window is the IP of then routerOS IP
You can see jitter

I used OpenVPN before, and ping was around 200ms
SiteA-SiteB.png
We have another Site, same routerBoard, same config as SiteB, it’s stable. so, the trouble are probably not the CCR
SiteA-SiteC.png
Need some help, some clues to find the problem !

Thanks you

Van9018 · July 6, 2015, 6:46am

Do a ping test but with the remote side’s public IP. Does the jitter still happen? If so it suggests issues isn’t related to the VPN.

Despite having fast internet speeds, nodes in between your sites may be getting congested. Some switches will tell other switches to stop sending data for x amount of time (rather than dropping packets).

This happens at one of my sites every few months, ping time is usually 25 ms but on a bad day, 20% of them are up to 76ms.

secathor · July 7, 2015, 6:11pm

Hi !

Thanks you for your reply

From both side, an ping to the other side public IP give time around 15ms (± 2ms)

But from both side, if I ping IP inside VPN, it’s give 35ms ± 15ms with sometime ping around 150ms

Van9018 · July 8, 2015, 6:35pm

I’m out of ideas, sorry. Although I just checked my SSTP site-to-site, it does the same. Pinging the public IP of remote site yields a consistent 190ms whereas through the VPN yields often 250ish but sometimes 400-500 ms.

secathor · July 8, 2015, 7:34pm

Thank for you help

This latency is very annoying for VoIP communication

Van9018 · July 8, 2015, 8:25pm

I just tested a setup with an IPSec VPN. Over the internet my pings are consistently 60ms and over the VPN they are also consistently 60ms. I run VoIP over this network and no complaints since I set it up a year ago.

SSTP is a TCP tunnel running over TCP, so double up on the overhead. Plus there is probably fragmentation going.

IPSec tunnel uses UDP, so no acknowledgements like TCP. IPSec may be a better choice for VoIP.

secathor · July 21, 2015, 7:55pm

Thanks you for your help

With the lastest version of ROS 6.30

Setting up an IPSec over EoIP is really easy

For the moment, tunnel with IPsec are more stable than SSTP or OVPN
Got average ping of 15ms over the tunnel