Cato SDP Client Performance Troubleshooting

Overview

Users may experience performance issues while using the Cato SDP Client. This article outlines essential troubleshooting steps to help identify and resolve such issues effectively.

Possible Causes 

Several factors can contribute to degraded performance, making it important to perform initial diagnostics before identifying a root cause. Common contributors include:

• Local network misconfiguration
• ISP-related bandwidth or routing issues
• Instability or latency with the connected PoP
• Unintended connection to a geographically distant PoP
• High system resource usage or third-party software interference

Troubleshooting 

An SDP client depends on the speed of the user's local connection to the Internet. Whatever the speed of the connection is, the SDP client cannot be faster. 

Depending on the region, Cato Client connections may have a maximum throughput. See Supported Throughput for Cato SDP Clients. 

The following steps are recommended to isolate and resolve performance issues with the Cato SDP Client:

1. Compare Performance On and Off Cato

Start by determining if the issue lies with the general internet connection or the SDP tunnel:

1. Run a Speed Test While Connected to Cato:
   • Run a web speed test, preferably Ookla. It's highly recommended that you download the Ookla Speed Test Application instead of using the browser, as different browsers can impact performance.
   • Configure a network rule (on the top of the ruleset) for the speed test website with a high bandwidth priority. Ensure TCP acceleration is disabled.
   • Run the speed test once again and compare the results.
2. Run a Speed Test Without Cato:
   • Disconnect from the SDP Client. If the user is configured with Always-On, the administrator can configure a 15-minute bypass code via CMA.
   • Run a speed test once again to determine the Internet speed. Ensure that the speed test is run against the same server as in the previous step.
     

     Note: Speedtest can run either in multi or single connections. File transfers, like SMB, use a single connection. Hence, you'll probably need to run the speed test with a single connection to get accurate results when troubleshooting bad file transfer performance. 

     

3. Interpret the Results:
   • If the SpeedTest results without Cato Client are bad, try restarting the Internet modem or switching to a different network, such as a mobile hotspot or an ethernet connection.
   • If the SpeedTest results are poor only with Cato, continue with the next steps below.

2. Check Network Analytics

While the SDP Client is connected to Cato, use the Network Analytics page in the CMA to review:

• Distance to the connected PoP
• Packet loss levels

High distance or packet loss often indicates underlying ISP issues or suboptimal routing, both of which can significantly degrade performance.

3. Verify Connected PoP

While connected to the SDP Client, check which PoP location you are connected to by navigating to the Stats section in the Client.

The Name of the PoP indicates its geographic location. For example:

• montcatodxx indicates the Montreal PoP
• nycatodxx would indicate New York, and so on.

Ensuring the client is connected to the nearest PoP can improve performance. Unexpected connection to a distant PoP may result in higher latency and reduced throughput and should be reported to Cato Support.

4. Disable Third-Party Solutions

Temporarily disable any antivirus, firewall, or endpoint security tools. These solutions may inspect or throttle encrypted traffic, adversely affecting SDP performance. This step helps isolate security software as a potential bottleneck.

5. Check the Wireless Connection

If connecting via Wi-Fi, check for poor signal strength and potential interference:

• Check the wireless signal strength. Windows users can run the command netsh wlan show interfaces to display wireless parameters.

• Run a continuous ping to the default gateway to detect packet loss, jitter, or high latency.

• If possible, switch to a wired connection to eliminate interference or weak signals.

6. Monitor Local System Resource Usage

High CPU or memory usage—especially on Windows clients before v5.4—can affect Client performance. Check Task Manager or relevant system monitoring tools to identify any heavy resource usage, especially while running a speed test. See Windows SDP Client Hangs Due To High CPU Utilization

7. Switch the DTLS Port

By default, the Cato SDP Client uses port UDP/443, which some ISPs may block or restrict. You can configure a different UDP port to switch to port UDP/1337 and bypass any ISP-imposed limitations on port UDP/443.

8. Verify DNS Configuration

For optimal performance, the SDP Client's DNS server should be:

• The default Cato DNS Server (recommended)
• Located in the same country as the SDP Client.

Distant DNS servers can harm performance due to slow response to DNS queries and might provide a server IP that isn't in the SDP client region. For more information, see Improving Network Performance for Internal DNS Servers

• For internal DNS server IPs, use the CMA routing table to identify their location.
• For public DNS server IPs, use ip2location. 

9. Use Experience Monitoring (Optional)

For customers with an Experience Monitoring license, we recommend reviewing the specific user performance under the Remote Users or Office Users tab. Look for indicators that may impact connectivity and overall performance:

• High CPU or memory usage
• Weak Wi-Fi signal
• Packet loss or jitter.
• High latency to the user gateway.

Raising Cases to Cato Support

Submit a Support ticket with the results of the above troubleshooting steps. Please include the following information in the ticket:

• Details of the experienced issue and overall impact on users.
  
• Record the issue while replicating poor performance and upload the logs to Cato Support. Include the reference ID in the Support ticket.
• Run a PCAP capture on the Cato adapter using Wireshark while replicating the problem. Include the PCAP file in the ticket.