slow access with China - Firewalls

This is a discussion on slow access with China - Firewalls ; not sure if this is the right group to post in, so please let me know if there is a more appropriate group. We have our corp HQ in Los Angeles and an office in Shenzhen China. Users in China ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: slow access with China

  1. slow access with China

    not sure if this is the right group to post in, so please let me know
    if there is a more appropriate group.

    We have our corp HQ in Los Angeles and an office in Shenzhen China.
    Users in China are constantly complaining that their Citrix and VPN
    connections to our office are extremely slow. I know from testing that
    when they report slow connectivity I am able to access Citrix and VPN
    at fast speeds, so I know the issue is not with our circuit or
    hardware.

    I have found from running traceroutes in LA and China that the
    connection slows to a crawl when it gets to asia. I believe on the
    china side once the route hits Hong Kong it slows down tremendously.

    My question is if this is the expected performance for connectivity
    between the US and China? I know that the chinese goverment filters
    all traffic, is this the cause of the slow down? If anyone out there
    has such connections between the US and China I would like to know if
    you experience the same issues. If not, what kind of solution do you
    have in place? I am planning on implementing a site to site VPN with a
    cisco pix 515 in LA and a Cisco 5505 in China.

    TIA

    PT

  2. Re: slow access with China

    phil7269@gmail.com wrote:

    > I have found from running traceroutes in LA and China that the
    > connection slows to a crawl when it gets to asia. I believe on the
    > china side once the route hits Hong Kong it slows down tremendously.


    if the traceroute slows down, I doubt there is any filtering going on.
    icmp is not of interest for any filtering software (yes you could hide alternative traffic in it, but that would be
    overkill)- http,ftp,smtp are interesting for nosy governments.

    i assume the answer is simple: they have a slow ISP connection at your site, (56k analog modem?) check that out first.

    then a site2site tunnel would not be of any help.
    upgrade your connection.

    (still, there could be a bottleneck somewhere before your site)

    M


  3. Re: slow access with China

    >We have our corp HQ in Los Angeles and an office in Shenzhen China.
    >Users in China are constantly complaining that their Citrix and VPN
    >connections to our office are extremely slow. I know from testing that
    >when they report slow connectivity I am able to access Citrix and VPN
    >at fast speeds, so I know the issue is not with our circuit or
    >hardware.


    This could be anything from a desktop issue to misconfigured
    routers/switches/firewalls. What I would do is get a PC in
    China running VNC (or some other remote access software) and
    look at the problem from their perspective.

    But China is the other side of the world from L.A. and
    you may just be up against latency and bandwidth. We don't
    have enough info here. I would start by doing some benchmarks
    (iperf is good & free) and looking at all the interfaces of
    any equipment (duplex mismatch will cause poor performance).

    >I have found from running traceroutes in LA and China that the
    >connection slows to a crawl when it gets to asia. I believe on the
    >china side once the route hits Hong Kong it slows down tremendously.


    Log in your routers and see if there are errors.
    >
    >My question is if this is the expected performance for connectivity
    >between the US and China? I know that the chinese goverment filters


    200-250ms is typical latency. A site-to-site VPN won't fix
    this.

    alan


  4. Re: slow access with China


    X-No-Archive: Yes

    wrote in message
    news:e16deff2-2a42-43ed-a1cd-32bfada61ec3@k1g2000prb.googlegroups.com...


    > My question is if this is the expected performance for connectivity
    > between the US and China? I know that the chinese goverment filters
    > all traffic, is this the cause of the slow down? If anyone out there


    I doubt it. If you are using a VPN network, The Chinese
    government cannot analyse, crack, monitor, or sniff your
    connection. Anything on VPN cannot be monitored by
    the local auhorities, becuase it is encrypted.

    I know from my exeperience of having gone to China
    to broadcast the Winter Asian Games, back in 2007,
    on my radio station. I used a VPN, so the local authorities
    could not eavesdrop on the connection.



  5. Re: slow access with China

    Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:


    > I doubt it. If you are using a VPN network, The Chinese
    > government cannot analyse, crack, monitor, or sniff your
    > connection. Anything on VPN cannot be monitored by
    > the local auhorities, becuase it is encrypted.


    They can't read it does not mean they don't filter. Every filter slows
    traffic down and if ther is enough traffic ....

    cya

  6. Re: slow access with China

    Burkhard Ott wrote:
    > Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:
    >> I doubt it. If you are using a VPN network, The Chinese government
    >> cannot analyse, crack, monitor, or sniff your connection. Anything on
    >> VPN cannot be monitored by the local auhorities, becuase it is
    >> encrypted.

    >
    > They can't read it does not mean they don't filter. Every filter slows
    > traffic down and if ther is enough traffic ....


    It has been explained to him repeatedly that even though the contents
    of an encrypted connection can't be read the connection itself can very
    well be identified and filtered. He just chooses to ignore that. Don't
    feed the idiot.

    cu
    59cobalt

    P.S.: Role mailboxes like postmaster@ exist for well-defined purposes.
    Please don't mis-use them for anything else.
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  7. Re: slow access with China

    On 2008-04-29 00:36:58 -0400, phil7269@gmail.com said:

    > My question is if this is the expected performance for connectivity
    > between the US and China? I know that the chinese goverment filters


    There might be some general network performance issues, which you
    should examine through trace analysis to see if this is network malaise
    and something client-fixable or it's really slow performance through
    the ISP, it's worth the look.

    I can confirm that the Chinese do filter and analyze traffic, I've
    experienced this in the 2000's in travel there, where, when using
    standard ports for protocols like http (80/tcp) and IM communication my
    services disconnected and slowed down to a crawl. Trace analysis of my
    own socket communication definitely showed that I was being
    transparently proxied and also filtered by making a connection through
    to a host in another country where I could see the "results" of the
    communication, which showed invalid values for TCP windowing and TTL
    values that proved a new socket connection was being made on behalf of
    my host's original request (not even close to the correct hop-count or
    TCP personality of my host).

    Once I switched to use a secured tunnel, my performance actually
    *improved*. While I don't know the legality of this, some potential
    fixes are:

    - Change your infrastructure to use non-standard port connections for
    Citrix and any other application, or rotate the TCP/UDP ports used on a
    regular basis to keep "hopping around".

    - Encrypt everything with some QoS applied to preserve some semblance
    of performance. The Open Source OpenVPN package is quite good for this,
    and it's easy to tunnel everything through and change TCP/UDP ports on
    a regular basis.

    - Consider aggregating your Chinese connectivity to a neutral /
    friendlier country nearby such as Japan or Korea so that the RTT /
    latency from an end-point to an end-point is less, and then you can
    take a "bundle" of your connections from China over unfiltered
    bandwidth to wherever your corporate HQ is, potentially avoiding the
    penalty of having both an under-performing filtering system and a
    long-distance pipe both hitting your bandwidth.

    - TCP/IP stacks need performance tuning when operating in special
    conditions like this. Most OS's tune themselves for LAN-type access or
    web-server performance where there are many incoming connections. This
    doesn't suit this connection profile you're mentioning. Along with the
    OpenVPN idea, it may be worth tuning those theoretical VPN boxes with
    TCP/IP stack personalities that handle the long-thin or long-fat lossy
    pipe problem. TCP Hybla, TCP BIC, or TCP CUBIC can help here - they are
    all modifications of how the congestion-avoidance algorithm works in
    TCP/IP.

    Good luck.

    /dmfh

    --
    _ __ _
    __| |_ __ / _| |_ 01100100 01101101
    / _` | ' \| _| ' \ 01100110 01101000
    \__,_|_|_|_|_| |_||_| dmfh(-2)dmfh.cx


  8. Re: slow access with China

    Am Wed, 30 Apr 2008 17:25:01 +0200 schrieb Ansgar -59cobalt- Wiechers:


    > P.S.: Role mailboxes like postmaster@ exist for well-defined purposes.
    > Please don't mis-use them for anything else.


    You are right, I changed it.
    Thx for the hint.

  9. Re: slow access with China


    X-No-Archive: Yes


    "Ansgar -59cobalt- Wiechers" wrote in message
    news:fva30dUp1nL1@news.in-ulm.de...
    > Burkhard Ott wrote:
    >> Am Wed, 30 Apr 2008 03:17:11 -0700 schrieb Chilly8:
    >>> I doubt it. If you are using a VPN network, The Chinese government
    >>> cannot analyse, crack, monitor, or sniff your connection. Anything on
    >>> VPN cannot be monitored by the local auhorities, becuase it is
    >>> encrypted.

    >>
    >> They can't read it does not mean they don't filter. Every filter slows
    >> traffic down and if ther is enough traffic ....

    >
    > It has been explained to him repeatedly that even though the contents
    > of an encrypted connection can't be read the connection itself can very
    > well be identified and filtered. He just chooses to ignore that. Don't
    > feed the idiot.



    Well, VPN should always be used, when connecting a US office to a
    foreign office, because of the fact that changes in the law now allow
    the American authorities to monitor any communications without a
    warrant. If you use VPN, the spooks in Washington cannot analyse
    or monitor your communications.



+ Reply to Thread