not sure if this is the right group to post in, so please let me know if there is a more appropriate group.
We have our corp HQ in Los Angeles and an office in Shenzhen China. Users in China are constantly complaining that their Citrix and VPN connections to our office are extremely slow. I know from testing that when they report slow connectivity I am able to access Citrix and VPN at fast speeds, so I know the issue is not with our circuit or hardware.
I have found from running traceroutes in LA and China that the connection slows to a crawl when it gets to asia. I believe on the china side once the route hits Hong Kong it slows down tremendously.
My question is if this is the expected performance for connectivity between the US and China? I know that the chinese goverment filters all traffic, is this the cause of the slow down? If anyone out there has such connections between the US and China I would like to know if you experience the same issues. If not, what kind of solution do you have in place? I am planning on implementing a site to site VPN with a cisco pix 515 in LA and a Cisco 5505 in China.
if the traceroute slows down, I doubt there is any filtering going on. icmp is not of interest for any filtering software (yes you could hide alternative traffic in it, but that would be overkill)- http,ftp,smtp are interesting for nosy governments.
i assume the answer is simple: they have a slow ISP connection at your site, (56k analog modem?) check that out first.
then a site2site tunnel would not be of any help. upgrade your connection.
(still, there could be a bottleneck somewhere before your site)
This could be anything from a desktop issue to misconfigured routers/switches/firewalls. What I would do is get a PC in China running VNC (or some other remote access software) and look at the problem from their perspective.
But China is the other side of the world from L.A. and you may just be up against latency and bandwidth. We don't have enough info here. I would start by doing some benchmarks (iperf is good & free) and looking at all the interfaces of any equipment (duplex mismatch will cause poor performance).
Log in your routers and see if there are errors.
200-250ms is typical latency. A site-to-site VPN won't fix this.
I doubt it. If you are using a VPN network, The Chinese government cannot analyse, crack, monitor, or sniff your connection. Anything on VPN cannot be monitored by the local auhorities, becuase it is encrypted.
I know from my exeperience of having gone to China to broadcast the Winter Asian Games, back in 2007, on my radio station. I used a VPN, so the local authorities could not eavesdrop on the connection.
It has been explained to him repeatedly that even though the contents of an encrypted connection can't be read the connection itself can very well be identified and filtered. He just chooses to ignore that. Don't feed the idiot.
cu
59cobalt
P.S.: Role mailboxes like postmaster@ exist for well-defined purposes. Please don't mis-use them for anything else.
There might be some general network performance issues, which you should examine through trace analysis to see if this is network malaise and something client-fixable or it's really slow performance through the ISP, it's worth the look.
I can confirm that the Chinese do filter and analyze traffic, I've experienced this in the 2000's in travel there, where, when using standard ports for protocols like http (80/tcp) and IM communication my services disconnected and slowed down to a crawl. Trace analysis of my own socket communication definitely showed that I was being transparently proxied and also filtered by making a connection through to a host in another country where I could see the "results" of the communication, which showed invalid values for TCP windowing and TTL values that proved a new socket connection was being made on behalf of my host's original request (not even close to the correct hop-count or TCP personality of my host).
Once I switched to use a secured tunnel, my performance actually
*improved*. While I don't know the legality of this, some potential fixes are:
- Change your infrastructure to use non-standard port connections for Citrix and any other application, or rotate the TCP/UDP ports used on a regular basis to keep "hopping around".
- Encrypt everything with some QoS applied to preserve some semblance of performance. The Open Source OpenVPN package is quite good for this, and it's easy to tunnel everything through and change TCP/UDP ports on a regular basis.
- Consider aggregating your Chinese connectivity to a neutral / friendlier country nearby such as Japan or Korea so that the RTT / latency from an end-point to an end-point is less, and then you can take a "bundle" of your connections from China over unfiltered bandwidth to wherever your corporate HQ is, potentially avoiding the penalty of having both an under-performing filtering system and a long-distance pipe both hitting your bandwidth.
- TCP/IP stacks need performance tuning when operating in special conditions like this. Most OS's tune themselves for LAN-type access or web-server performance where there are many incoming connections. This doesn't suit this connection profile you're mentioning. Along with the OpenVPN idea, it may be worth tuning those theoretical VPN boxes with TCP/IP stack personalities that handle the long-thin or long-fat lossy pipe problem. TCP Hybla, TCP BIC, or TCP CUBIC can help here - they are all modifications of how the congestion-avoidance algorithm works in TCP/IP.
Well, VPN should always be used, when connecting a US office to a foreign office, because of the fact that changes in the law now allow the American authorities to monitor any communications without a warrant. If you use VPN, the spooks in Washington cannot analyse or monitor your communications.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.