PDA

View Full Version : slow access with China



phil7269@gmail.com
04-28-08, 11:36 PM
not sure if this is the right group to post in, so please let me know
if there is a more appropriate group.

We have our corp HQ in Los Angeles and an office in Shenzhen China.
Users in China are constantly complaining that their Citrix and VPN
connections to our office are extremely slow. I know from testing that
when they report slow connectivity I am able to access Citrix and VPN
at fast speeds, so I know the issue is not with our circuit or
hardware.

I have found from running traceroutes in LA and China that the
connection slows to a crawl when it gets to asia. I believe on the
china side once the route hits Hong Kong it slows down tremendously.

My question is if this is the expected performance for connectivity
between the US and China? I know that the chinese goverment filters
all traffic, is this the cause of the slow down? If anyone out there
has such connections between the US and China I would like to know if
you experience the same issues. If not, what kind of solution do you
have in place? I am planning on implementing a site to site VPN with a
cisco pix 515 in LA and a Cisco 5505 in China.

TIA

PT

mak
04-29-08, 12:58 AM
phil7269@gmail.com wrote:

> I have found from running traceroutes in LA and China that the
> connection slows to a crawl when it gets to asia. I believe on the
> china side once the route hits Hong Kong it slows down tremendously.

if the traceroute slows down, I doubt there is any filtering going on.
icmp is not of interest for any filtering software (yes you could hide alternative traffic in it, but that would be
overkill)- http,ftp,smtp are interesting for nosy governments.

i assume the answer is simple: they have a slow ISP connection at your site, (56k analog modem?) check that out first.

then a site2site tunnel would not be of any help.
upgrade your connection.

(still, there could be a bottleneck somewhere before your site)

M

Alan Strassberg
04-29-08, 12:50 PM
>We have our corp HQ in Los Angeles and an office in Shenzhen China.
>Users in China are constantly complaining that their Citrix and VPN
>connections to our office are extremely slow. I know from testing that
>when they report slow connectivity I am able to access Citrix and VPN
>at fast speeds, so I know the issue is not with our circuit or
>hardware.

This could be anything from a desktop issue to misconfigured
routers/switches/firewalls. What I would do is get a PC in
China running VNC (or some other remote access software) and
look at the problem from their perspective.

But China is the other side of the world from L.A. and
you may just be up against latency and bandwidth. We don't
have enough info here. I would start by doing some benchmarks
(iperf is good & free) and looking at all the interfaces of
any equipment (duplex mismatch will cause poor performance).

>I have found from running traceroutes in LA and China that the
>connection slows to a crawl when it gets to asia. I believe on the
>china side once the route hits Hong Kong it slows down tremendously.

Log in your routers and see if there are errors.
>
>My question is if this is the expected performance for connectivity
>between the US and China? I know that the chinese goverment filters

200-250ms is typical latency. A site-to-site VPN won't fix
this.

alan

Chilly8
04-30-08, 05:17 AM
X-No-Archive: Yes

<phil7269@gmail.com> wrote in message
news:e16deff2-2a42-43ed-a1cd-32bfada61ec3@k1g2000prb.googlegroups.com...


> My question is if this is the expected performance for connectivity
> between the US and China? I know that the chinese goverment filters
> all traffic, is this the cause of the slow down? If anyone out there

I doubt it. If you are using a VPN network, The Chinese
government cannot analyse, crack, monitor, or sniff your
connection. Anything on VPN cannot be monitored by
the local auhorities, becuase it is encrypted.

I know from my exeperience of having gone to China
to broadcast the Winter Asian Games, back in 2007,
on my radio station. I used a VPN, so the local authorities
could not eavesdrop on the connection.

Burkhard Ott
04-30-08, 08:24 AM
Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:


> I doubt it. If you are using a VPN network, The Chinese
> government cannot analyse, crack, monitor, or sniff your
> connection. Anything on VPN cannot be monitored by
> the local auhorities, becuase it is encrypted.

They can't read it does not mean they don't filter. Every filter slows
traffic down and if ther is enough traffic ....

cya

Ansgar -59cobalt- Wiechers
04-30-08, 10:25 AM
Burkhard Ott <postmaster@derith.de> wrote:
> Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:
>> I doubt it. If you are using a VPN network, The Chinese government
>> cannot analyse, crack, monitor, or sniff your connection. Anything on
>> VPN cannot be monitored by the local auhorities, becuase it is
>> encrypted.
>
> They can't read it does not mean they don't filter. Every filter slows
> traffic down and if ther is enough traffic ....

It has been explained to him repeatedly that even though the contents
of an encrypted connection can't be read the connection itself can very
well be identified and filtered. He just chooses to ignore that. Don't
feed the idiot.

cu
59cobalt

P.S.: Role mailboxes like postmaster@ exist for well-defined purposes.
Please don't mis-use them for anything else.
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Digital Mercenary For Honor
04-30-08, 03:28 PM
On 2008-04-29 00:36:58 -0400, phil7269@gmail.com said:

> My question is if this is the expected performance for connectivity
> between the US and China? I know that the chinese goverment filters

There might be some general network performance issues, which you
should examine through trace analysis to see if this is network malaise
and something client-fixable or it's really slow performance through
the ISP, it's worth the look.

I can confirm that the Chinese do filter and analyze traffic, I've
experienced this in the 2000's in travel there, where, when using
standard ports for protocols like http (80/tcp) and IM communication my
services disconnected and slowed down to a crawl. Trace analysis of my
own socket communication definitely showed that I was being
transparently proxied and also filtered by making a connection through
to a host in another country where I could see the "results" of the
communication, which showed invalid values for TCP windowing and TTL
values that proved a new socket connection was being made on behalf of
my host's original request (not even close to the correct hop-count or
TCP personality of my host).

Once I switched to use a secured tunnel, my performance actually
*improved*. While I don't know the legality of this, some potential
fixes are:

- Change your infrastructure to use non-standard port connections for
Citrix and any other application, or rotate the TCP/UDP ports used on a
regular basis to keep "hopping around".

- Encrypt everything with some QoS applied to preserve some semblance
of performance. The Open Source OpenVPN package is quite good for this,
and it's easy to tunnel everything through and change TCP/UDP ports on
a regular basis.

- Consider aggregating your Chinese connectivity to a neutral /
friendlier country nearby such as Japan or Korea so that the RTT /
latency from an end-point to an end-point is less, and then you can
take a "bundle" of your connections from China over unfiltered
bandwidth to wherever your corporate HQ is, potentially avoiding the
penalty of having both an under-performing filtering system and a
long-distance pipe both hitting your bandwidth.

- TCP/IP stacks need performance tuning when operating in special
conditions like this. Most OS's tune themselves for LAN-type access or
web-server performance where there are many incoming connections. This
doesn't suit this connection profile you're mentioning. Along with the
OpenVPN idea, it may be worth tuning those theoretical VPN boxes with
TCP/IP stack personalities that handle the long-thin or long-fat lossy
pipe problem. TCP Hybla, TCP BIC, or TCP CUBIC can help here - they are
all modifications of how the congestion-avoidance algorithm works in
TCP/IP.

Good luck.

/dmfh

--
_ __ _
__| |_ __ / _| |_ 01100100 01101101
/ _` | ' \| _| ' \ 01100110 01101000
\__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx

Burkhard Ott
05-01-08, 01:57 AM
Am Wed, 30 Apr 2008 17:25:01 +0200 schrieb Ansgar -59cobalt- Wiechers:


> P.S.: Role mailboxes like postmaster@ exist for well-defined purposes.
> Please don't mis-use them for anything else.

You are right, I changed it.
Thx for the hint.

Chilly8
05-02-08, 03:37 PM
X-No-Archive: Yes


"Ansgar -59cobalt- Wiechers" <usenet-2008@planetcobalt.net> wrote in message
news:fva30dUp1nL1@news.in-ulm.de...
> Burkhard Ott <postmaster@derith.de> wrote:
>> Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:
>>> I doubt it. If you are using a VPN network, The Chinese government
>>> cannot analyse, crack, monitor, or sniff your connection. Anything on
>>> VPN cannot be monitored by the local auhorities, becuase it is
>>> encrypted.
>>
>> They can't read it does not mean they don't filter. Every filter slows
>> traffic down and if ther is enough traffic ....
>
> It has been explained to him repeatedly that even though the contents
> of an encrypted connection can't be read the connection itself can very
> well be identified and filtered. He just chooses to ignore that. Don't
> feed the idiot.


Well, VPN should always be used, when connecting a US office to a
foreign office, because of the fact that changes in the law now allow
the American authorities to monitor any communications without a
warrant. If you use VPN, the spooks in Washington cannot analyse
or monitor your communications.