Microsoft

Direct Access Performance Issues

A customer experienced performance issues on their Direct Access solution the other day. I started troubleshooting the issue. Checked firewalls, antivirus, network adapters and other stuff on both the Direct Access Server and the Direct Access Client. Still the transfer rate was limited to 355KB/s.

We have only activated IPHTTPS because the customer is using Direct Access only on Windows 10 clients (allowing NULL encryption for SSL). Teredo and 6to4 is disabled on the clients to prevent timeouts and other problems with these.

As a final measure, I installed Microsoft Network Monitor 3.4 (because Wireshark will not see the iphttpsinterface), and started capturing packets. I noticed a great deal of fragmentation on the traffic between iphttpsinterface and the “6to4 Adapter” on the Direct Access Server. I then decided to try transferring files from an IPv6-enabled corporate resource. Suddenly the transfer rate was approximately three times faster (1MB/s as opposed to capped at 355KB/s)!

I tried playing with the MTU on both the Direct Access Client and the iphttpsinterface / “6to4 Adapter” on the Direct Access Server, and could tweak the traffic so it was almost the same as corporate IPv6 resource (The default MTU is 1280 on iphttps and 6to4). When I changed the MTU on the aforementioned adapters to 1328 or more, the transfer rate would sometimes reach 1MB/s. This is not an ideal solution, because I do not want to change the MTU for all the customers Direct Access Clients… Source for IPSec MSS and MTU: http://packetpushers.net/ipsec-bandwidth-overhead-using-aes/

Bottom line: It looks like transfer rates from corporate IPv4 resources to Direct Access Clients (e.g. copying a file from file share to client, initiated from the client) sometimes will be capped at 355KB/s (literally maximum 355KB/s, no more no less).

If this is not the issue for you, try checking if there is a firewall between your Direct Access Server and the internet with Deep Packet Inspection enabled. The firewall will not be able to inspect the packets, and this can cause performance issues.