Slow connection using Ziti

Hi,

We we're looking for an alternative for VPN-connection to our company environment and our supplier installed OpenZiti for us. However, end-users are complaining about very slow connections. Even opening a file of 1MB takes forever on a 1Gbits line.

Would this be a issue of bad installation by the supplier? Or does anyone have an idea why everything would run so slowly?

The Admin Console is hosted by the supplier, and in our network we are running the virtual edge controller.

Currently we recommend users to only enable Ziti on WiFi, and disable it on LAN to ease the pain. Would also be nice if Ziti would detect LAN and only work on WiFi, but I don't think that's possible.

PS. If anyone knows suppliers for Ziti in Belgium, I would also appreciate their details.

Hi @Ruben, welcome to the community and to OpenZiti (and zrok/BrowZer)!

That sounds strange to me. We use Mattermost for our chat app and I send raw files that are 1-100MB routinely (videos/pptx etc) and it's very fast.

I could see this be a problem with an http app though, if one or more urls are incorrectly configured. If that's the case, then there will be timeouts and those will might lead to terrible experiences.

Is this with say, ssh or is it with "your internal app"? There's a lot of reasons you might get bad performance, can you give any extra informatoni/details?

The slow speed is mostly an issue when using a SMB share. The supplier has set up like 15 services in total, so it might be an issue with one of them all you say...

I can also see that every services uses host.v1 and intercept.v1 configuration. Is that outdated?

I'm not sure if it's a lot of work to just start from scratch and set everything up myself, but time is a bit limited to get everything sorted out. That's why I also asked for other suppliers using this technology.

Not sure what extra details I should also provide, so if you have anything in mind, feel free to ask.

Ahh SMB. Is the share a 'hostname' looking share \\myserver or is it a FQDN looking share? \\my.server (with a period -- making it a 'fully qualified' name. Oh also, are we talking just linux here or are we talking windows? You mention 'users' so I just assumed it was windows (not linux) but it could be mac os too :slight_smile:

I admit that I do NOT use SMB shares much. I do feel like somewhere in the back of my mind this was a problem for someone way in the past but nobody has complained about it recently.

I can ask around inside NetFoundry to see if any enterprise customers are using SMB. Some protocols are very sensitive to how you set them up, whether you intercept UDP or not, etc. etc. So every protocol can be different...

One think you could try just to test... I saw before you wrote: "Currently we recommend users to only enable Ziti on WiFi, and disable it on LAN". I literally never turn my tunneler off. OpenZiti is split-tunnel by design. The only reason you might give users this advice (I'm projecting) is that the shares are identical. Which makes perfect sense, but when you shadow a hostname/fqdn in this way, it can end up complicating thigns... Long lead up to say, you could try making an intercept that does NOT overlap whatsoever and see how that performs. It'll take the "possible confusion" out of that equation.

Nope. Those are the ones I use every day too. Not outdated.

I mean - it does kind of depend. For me, one or two services, I can set it all up in 10 minutes but I used the software every day and I'm intimate with it so that's not exactly apples to apples. There's a new feature coming out soon that we are goign to 'hide' at first that allows you to export/import a whole network that will also help, but it's not released just yet so -- great but not helpful to you right now... :frowning:

Ok, that's probably a lot to read/react to right now so I'll let you follow up. :slight_smile:

Hey Ruben, I will DM you on this.