3

I am a software developer and I sometimes want to work from home but to write code over on a VPN is just tortuously slow. I have tried several different things to try and make it more reasonable. On VNC I try and tweak it so that it is as light as possible. I tried X11 forwarding and I have tried just using a pure terminal. None of these are something I can stand for more than a few minutes.

Rather than just be a complainer I thought I would take some measurements with traceroute in both directions to see how bad it really was. Now I have the numbers but I am not sure if they are bad enough to warrant some action from the IT professionals in our company or whether they will just see me as the complainer (ie. nobody else complains about this). So here are the numbers.

Tracing from my client machine back to my server:

$ tracert myserver

Tracing route to myserver.myco.com [169.129.70.27]
over a maximum of 30 hops:

  1   663 ms   685 ms   404 ms  169.129.85.51
  2   456 ms   295 ms   265 ms  169.129.85.40
  3   421 ms   409 ms   423 ms  41.41.125.109
  4   395 ms   411 ms   412 ms  41.41.125.122
  5   433 ms   409 ms   438 ms  169.129.74.51
  6   652 ms   404 ms   354 ms  myserver.myco.com [169.129.70.27]

Trace complete.

So the median is 404 ms and no dropped packets but it seems like all the latency occures right away with the first hop median of 663 ms... hmmm...

Tracing from my server machine back to my client:

> traceroute 169.129.85.51
traceroute to 169.129.85.51 (169.129.85.51), 30 hops max, 46 byte packets
 1  169.129.169.51 (169.129.169.51)  0.274 ms  0.185 ms  0.185 ms
 2  169.129.174.11 (169.129.174.11)  14.497 ms  14.437 ms  15.937 ms
 3  41.3.125.121 (41.3.125.121)  24.215 ms  24.863 ms  24.213 ms
 4  41.3.125.110 (41.3.125.110)  85.694 ms  87.208 ms  83.187 ms
 5  169.129.85.51 (169.129.85.51)  85.937 ms *  89.498 ms

So the max latency in this direction is 89.5 ms with one packet dropped but the progression from each stop seems more reasonable a it starts out small at the first hop and increases through each hop.

So is this something that I should ask to have fixed or is this typical beviour for a VPN into a corporate network?

UPDATE

So I was able to reduce the time in half (roughly). I noticed when I was pinging around that it seems like they route all traffic through NY and then send it back here which seems to take roughly 200ms each leg. So I decided to play them at there own game and I started a VNC session on the servers in NY thus eliminating one leg of the trip. It is still not perfect but it is tolerable. It would be really nice if they just let us access our servers here directly then the latency would be reduced by half again and would be really snappy... Anyway, learned some networking stuff tonight!

stephenmm
  • 175
  • 2
  • 3
  • 8
  • For an internal network (i.e. all in one building, it should be about 5ms or less (i've seen <1 ms often )) but this belongs on a different part of SE. –  Jun 01 '11 at 03:48
  • My home is about 12 miles from my work but I believe everything is routed through NY or about 1200 miles. From what I have read that should add about 80ms of latency... – stephenmm Jun 01 '11 at 03:53
  • So it look like you are optimal. –  Jun 01 '11 at 03:55
  • In one direction only. The other direction is complete ass... – stephenmm Jun 01 '11 at 04:01
  • You should really try to find out where the bottleneck is. Even on a decent DSL connection you should be able to get <50ms latency unless the equipment is overloaded. – jishi Jun 01 '11 at 11:49

4 Answers4

4

As a comparison, when I play first person shooters online typical latency (ping times) where I'm at range from 20ms to 150ms. Even lower numbers are possible (though rare). Anything more than that and players start getting angry at you for causing lag / throwing registration off. The players in a game may be spread all over the country, and those numbers tend to hold true for most everyone. Anything over 150ms and something's not right.

For a VPN connection to your place of work where you should be physically close enough to visit the office in person, you ought to be able to stay near the low end of that range. That said, read the tracert carefully. I work at a college, and I recently traced from home (on campus at the time!) to a campus server less than a block away. I was on a DSL line, and the college's provider is a fiber line from Time Warner. We're in rural Nebraska, and the packets hopped through Denver and then to Texas before the two providers' networks finally peered, and then routed through Chicago on the way back to town. That's quite a trip just to pull packets from less than 1/4 mile away. I switched over to a Time Warner cable line to match the college's ISP, and my tracert's got a whole lot more reasonable — it still hops to Lincoln, but it's down to 10ms on average and much of that is just moving through my 6yr old wireless router. So you might see if a friend with a different ISP can get better results.

The slowness in one direction but not the other also indicates to me that it likely has to do with your company's gateway, specifically the content filter if there is one. Those can add significant overhead (read: latency) to processing packets. It's likely your IT staff specifically bypassed the content filter for VPN traffic in one direction, but did not (or perhaps could not without rendering the filter moot) bypass the traffic in the other direction.

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
  • Very insightful. The long packet trip scenario is exactly what was causing me the headache. I was able to improve it some so at least its tolerable. What a long, strange trip it's been for my packets... – stephenmm Jun 01 '11 at 05:53
1

From an ISP perspective, on a business class circuit (this means no DSL or cable), most will guarantee 100ms or less average to the first hop on a ping test running for at least an hour. There isn't much you can do to get the ISP to do anything past their own network on traceroutes or pings when testing to various locations as the ISP doesn't have any control over that either, and what they do have control over, they don't like to modify without good reason. Essentially, if you have issues between your home and your work, neither your IT department nor your ISP can do anything to help.

If you happen to have a cheap circuit like DSL or cable, you will likely have some latency and route priority issues that your ISP will mostly just ignore, even on their own network.

MaQleod
  • 503
  • 2
  • 5
  • 17
  • Thanks for the info. I just did a little test where I disconnected from my VPN and ran traceroute a bunch of times and got an average of about 125 ms to the first hop. I have AT&T U-verse and internet at home I wonder if I could request them to take a look at it... Can't hurt to ask I guess but even if they did improve it by 50ms that still just a little bit over 10% improvement which I probably wouldn't even notice. I think they are routing all traffic through NY first so it might start out here go to NY then back to the local server here. That is probably taking a lot of time. hmm... – stephenmm Jun 01 '11 at 05:32
  • Here in Sweden it's not uncommon to be guranteed <15ms latency within national limits (on the same carrier, that is). – jishi Jun 01 '11 at 11:47
0

This does not answer your question, but it may well solve your problem.

If you have a computer at work, usually a desktop, I would suggest asking if they have any problems with you using Remote Desktop to connect. If you have a laptop, leave it at work and connect to it using your home computer. You would then VPN to the corporate network, and RDP to your computer at work.

Since RDP is a very lean application you should then notice little lag from it itself, but then as you are developing, saving, or doing whatever, since you are actually doing it all on your computer at work, it is very fast since you will be doing that locally to your 100BT or 1000BT(gigabit) LAN in the office.

KCotreau
  • 3,381
  • 3
  • 20
  • 24
0

Consumer DSL is likely using a Tier 2 or Tier 3 network and has a lower traffic priority along with extra hops due to peering agreements. Working with 1 of the 7 Tier 1 network for your connections would be the most effect if your not able to build your own MPLS or other routing technology for the WAN and stored in a DC with a Tier 1 ISP to connect at 100Mbs or 1Gbps or whatever suits your needs... Typically the less peering the better optimization of routing since less networks are traversed and at a Tier 1 level they should be optimized with top architect's working for them vs some tier 3 reselling at a lower price but lower priority over lines they don't even own and have to have peering arrangements that are less favorable when your a lower tier typically as they probably don't need to pass your network to reach anyone else, but you need to pass theirs to get from A to B.

A VPN will slow the speeds a bit depending on the encryption, compression and HW used. In theory anything over 120ms is where it starts to get bad and is the cut off for VoIP per Cisco and RFP's last I checked when designing a network that will pass VoIP at an acceptable quality.

Jacob S. McMaster
  • 1