Azure VPN Gateway Slow

Curci, Andrea 0

Hi Community,

I have a problem with the performance of the Site to Site VPN from Azure to on premises. My scenario is as follows:

I'm using a Test Subscription (for PoC) with 200$ Credit, VPN Virtual Gateway (VpnGw1 Gen 1) and 1 Virtual Machine and 1 Windows 365.

My Region is West Europe.

On Premises infrastructure is formed from 2 Fortinet 100F in HA and 1Gbps internet Up & Down (Used only for test, only 1 client connected).

From OnPremises Firewall i Set the MTU 1400 and MSS 1350 as best practice and i set the static route.

My problem is that whatever changes I make IPerf always returns me the same values which are not very satisfactory:

User's image

When i copy one file from on premises to cloud and vice versa, the speed is (maximum) 8 MB for second.

As a note: I tested (I think) every combination of algorithms, and also the VpnGw2 Gen 2 VPN

I have no more ideas, do you have any?

Thank you

ChaitanyaNaykodi-MSFT 26,966 Reputation points Microsoft Employee

2023-12-08T03:46:53.9633333+00:00

@Curci, Andrea

Thank you reaching out.

Can you please confirm the on-prem device used is a validated device and listed here ?

I understand Iperf results were poor, can you try richcopy as stated below and see if there is any improvement in file upload/download.

As documented here you may experience slow file coping when either using Windows Explorer, or dragging and dropping through an RDP session. File copy applications, such as Windows Explorer and RDP, do not use multiple threads when copying files. For better performance, use a multi-threaded file copy application such as Richcopy to copy files by using 16 or 32 threads. It will be worth testing if you are able to get a better performance while copying the files via Richcopy.

Please let me know if you have any questions. Thank you!
Curci, Andrea 0 Reputation points

2023-12-08T09:52:29.76+00:00

Thanks for your comment.

I confirm that I use a device in the list. I used for these tests: Sophos and Fortinet.

I can't test Richcopy because I can't find a secure download link. The link in the documentation returns 404.

The main problem is that the file server is on premises and we have important 200MB files. From VDI users notice that opening the file is very slow.
ChaitanyaNaykodi-MSFT 26,966 Reputation points Microsoft Employee

2023-12-08T19:24:22.36+00:00

@Curci, Andrea

Thank you for getting back and providing additional details here.

I am reaching out to the team internally regarding the broken link for RichCopy and will share an update as soon as I get a response.

Meanwhile can you please try running the link performance using Azure Connectivity Toolkit as described here and share the results.

Get-LinkPerformance -RemoteHost 10.0.0.1 -TestSeconds 10

File transfer speed can be limited due to local machine and multi threaded approach is recommended. The test above will perform a multi-threaded test.

Please let me know if you have any questions. Thank you!
Curci, Andrea 0 Reputation points

2023-12-08T19:57:35.71+00:00

Thanks for your comment.

In the image there is the server-side result

This is client-side result: CWindowssystem32cmd.exe.txt

Thank you
ChaitanyaNaykodi-MSFT 26,966 Reputation points Microsoft Employee

2023-12-13T02:05:18.3066667+00:00
@Curci, Andrea

Thank you for providing the details above.

I am still waiting for a response from the team regarding the official link for RichCopy exe.

Meanwhile, from your test above we can see that there is an improvement in the bandwidth with multi-threaded approach.

As currently documented here the best performance was obtained when we used the GCMAES256 algorithm for both IPsec Encryption and Integrity. Can you please help validate if you have selected GCMAES256 algorithm? for VpnGw1 SKU below is the ideal performance observed.

Please let me know if you have any question. Thank you!
Curci, Andrea 0 Reputation points

2023-12-13T09:42:24.4966667+00:00

Thanks for the reply.

We are currently using the default values for testing in Azure:

From Our Firewall:

Phase 1:

DH Group: DH1024, DH2048, ecp521

Encryption: AES256 and AES256

Authentication: SHA2 256 and SHA2 512

Phase 2:

DH Group: none

Encryption: AES256 and AES256

Authentication: SHA2 512 and SHA2 256

Our Firewall do not support GCMAES256 by default.
ChaitanyaNaykodi-MSFT 26,966 Reputation points Microsoft Employee

2023-12-19T03:30:09.3633333+00:00

@Curci, Andrea

Thank you for reaching out and apologies for the delay here.

I understand that your Firewall does not support GCMAES256 by default.

Can you try and change it to GCMAES256 algorithm for both IPsec Encryption and Integrity?

If you need any further help in troubleshooting this issue, I think we will need specialized 1:1 session, where a support engineer can have a screen share session to pin point the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.

Subject : Attn Chaitanya

Thread URL: Link to this thread.

Subscription ID

Please let me know once you have done the same.

Please let me know if you have any questions here. Thank you!
Curci, Andrea 0 Reputation points

2023-12-22T09:17:48.4533333+00:00

Thanks for your comment.

I sent the email to azcommunity@microsoft.com however I received the reply that the mtmvp group only accepts emails from users of the organization or those present in the list of allowed senders.

Thank you for you support
ChaitanyaNaykodi-MSFT 26,966 Reputation points Microsoft Employee

2023-12-28T05:25:44.9266667+00:00

@Curci, Andrea

Thank you for reaching out. I have replied to your email today. Please share the support ticket number when you open the support ticket.
BANJARA AJAYA 0 Reputation points

2024-07-11T06:05:49.55+00:00

Did you get a solution?

I am having the same problem and couldnot find any solution.
jose76672 61 Reputation points

2025-01-28T15:40:44.94+00:00

@BANJARA AJAYA Hello, I have the same slow vpn sku 1 problem, were you able to solve it? thank you so much
jose76672 61 Reputation points

2025-01-28T15:40:46.4533333+00:00

@BANJARA AJAYA Hello, I have the same slow vpn sku 1 problem, were you able to solve it? thank you so much
Curci, Andrea 0 Reputation points

2025-01-29T09:04:09.28+00:00

Unfortunately we have not solved, we have tried everything possible but without good results.

The cloud is promoted more and more but the S2S VPN should be better in my opinion.

If anyone has solutions they are always welcome, we tend to use Fortinet firewalls on premises
jose76672 61 Reputation points

2025-01-29T10:02:44.0366667+00:00

Hello @Curci, Andrea , thank you for responding. In my case, I have an on-premises network with a FortiGate device connected to two ISPs. In Azure, I have a Virtual Network Gateway with SKU 1 (650 Mbps) and an active connection to Azure, along with two Local Network Gateway connections from on-premises. Users are complaining about slow performance when accessing Azure Files. I have two premium shares, one with 5TB and another with 500GB, and SMB multichannel is enabled. I have also enabled metadata caching for premium SMB file shares as described here: SMB Performance - Metadata Caching for Premium SMB File Shares. The end-to-end (E2E) latency metrics are very high, with an average of 81.55ms.

1 answer

VIVEK DWIVEDI 105 Reputation points Microsoft Employee

2025-02-05T13:26:37.9866667+00:00
Hi @Curci, Andrea

Could you please try iperf with multiple thread as given below which enforces to use Mutiple thread at the same time.
Also, could you share the Azure VM type and size and on-prem VM/host size ?

On the Azure VM, open an elevated command prompt, navigate to the path of iperf.exe and execute the following: iperf3 -s. This starts the IPerf server and you should see “Server listening on TCP port 5201”

Note* By default, Iperf listens on port 5201, so you will need to make sure that connections are permitted to port 5201 over the Windows Firewall.

From the on-premises client open an elevated command prompt and execute the following: iperf3 -c <IP ADDRESS OF AZURE VM> -t 300 -f m --logfile %computername%-iperf.log -i 30

Note* Yes - there are two dashes in front of the logfile parameter

Once the previous test has concluded, from the on-premises client, execute the following command: iperf3 -c <IP ADDRESS OF AZURE VM> -t 300 -f m --logfile %computername%-iperf32.log -i 30 -P 32

Now we want to reverse the test. Stop the IPerf server on the Azure VM with CTRL+C. Open an elevated command prompt on the on-premises machine and execute the following: iperf3 -s

**Note: You can actually do the reverse test without switching client and server by running the client side tests with the -R (must be uppercase) switch. This will do a "Reverse" test server sends, client receives.

From the Azure VM open an elevated command prompt and execute the following: iperf3 -c <IP ADDRESS OF ON-PREMISES MACHINE> -t 300 -f m --logfile %computername%-iperf.log -i 30

Once the previous test has concluded, from the Azure VM, execute the following command: iperf3 -c <IP ADDRESS OF ON-PREMISES MACHINE> -t 300 -f m --logfile %computername%-iperf32.log -i 30 -P 32
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure VPN Gateway Slow

1 answer

Your answer