UAG DirectAccess performance vs Cisco IPsec VPN RRS feed

  • Question

  • Hi All,

    I would like to ask for help and opinion regarding the DirectAccess performance compared to classic VPN.

    Customer got single Internet link and two ways of connecting to corporate network:

    1. Cisco IPsec VPN
    2. UAG Direct Access (Two hardware based servers in array, NLB, SP3 + rollups)

    Users are complaining that DirectAccess is very slow compared to VPN and while DirectAccess is fine with its transparency and features for standard work, they rather connect via VPN if they want to download something from corporate network. I asked for tests and here are the results for a download of 319MB file from a home location:

    VPN: 10min 30sec
    Teredo: 28min 10sec
    IPHTTPS: 32min

    This was indeed not just a single test but several test with smaller or bigger files from different locations. Results are more or less very similar to the one above.

    Im reading all around that Teredo should be very close to traditional VPNs and not almost 3 times slower, so the question is what to do or check to improve the performance.


    Friday, May 24, 2013 12:43 PM

All replies

  • There isn't anything with the Teredo protocol that you can adjust, other than setting it to EnterpriseClient status like we discussed in the other blog post, but that won't change the performance of it. It has also been my experience that Teredo is on-par with traditional VPNs that it replaces in many companies, so your slow times are interesting. It could be a number of factors. Are your UAG boxes sitting behind a firewall? It could be slowing down the packets. Is UAG running on a VM, a regular server, or one of the specialized appliances available? Maybe changing from Unicast to Multicast for NLB (or the other way around) could change the behavior. Were the results the same before establishing the NLB array?

    I'm afraid everything I am asking aren't necessarily questions you actually have to answer, because the answers wouldn't lead to any direct resolutions, but rather are things to think about in your environment, potential influencers of the efficiency of the packet stream. Sorry, I wish I had an easy answer for you!

    Thursday, May 30, 2013 12:27 PM
  • - no firewall that I know about in front of UAG servers. UAG external NIC is configured with two consecutive public IPs.
    - regular hardware servers from HP powerfull enough for the load level (ProLiant BL460c G1, Intel(R) Xeon(R) CPU 5160 @ 3.00GHz, 16GB RAM)
    - there was no "before NLB" it has been build up as nlb array and moved to production environment

    Going to check how can the NLB mode switch affect the performance.

    Thursday, May 30, 2013 12:47 PM