https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795885#M493358 <HTML><HEAD></HEAD><BODY><P>Mainly on the ASA... </P><P></P><P>Do you use this VPN connection to go to the internet? </P><P></P><P></P><P>Mike </P></BODY></HTML> Tue, 15 Nov 2011 02:50:15 GMT Maykol Rojas 2011-11-15T02:50:15Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795882#M493355 <P>We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco. </P><P></P><P>hostname(config)# class-map pptp-port</P><P>hostname(config-cmap)# match port tcp eq 1723</P><P>hostname(config-cmap)# exit</P><P>hostname(config)# policy-map pptp_policy</P><P>hostname(config-pmap)# class pptp-port</P><P>hostname(config-pmap-c)# inspect pptp</P><P>hostname(config-pmap-c)# exit</P><P>hostname(config)# service-policy pptp_policy interface outside</P><P></P><P>Any insight is appreciated.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 21:50:22 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795882#M493355 mabouchard 2019-03-11T21:50:22Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795883#M493356 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Are you getting the same low throughput for regular connections across the ASA? If this is only happening when using PPTP, it may suggest a problem with MTU (cuz of the overhead that GRE causes to the packets). </P><P></P><P>Let me know. </P><P></P><P>Mike </P></BODY></HTML> Tue, 15 Nov 2011 01:10:44 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795883#M493356 Maykol Rojas 2011-11-15T01:10:44Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795884#M493357 <HTML><HEAD></HEAD><BODY><P> The throughput on the firewall seems to be fine. I have not tested it by just NATing a public address to private but doing bandwidth testing we are getting ~70MB on a 100MB pipe. When you are referring to MTU are you talking about on the firewall or on the RRAS server, or both?</P></BODY></HTML> Tue, 15 Nov 2011 01:15:31 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795884#M493357 mabouchard 2011-11-15T01:15:31Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795885#M493358 <HTML><HEAD></HEAD><BODY><P>Mainly on the ASA... </P><P></P><P>Do you use this VPN connection to go to the internet? </P><P></P><P></P><P>Mike </P></BODY></HTML> Tue, 15 Nov 2011 02:50:15 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795885#M493358 Maykol Rojas 2011-11-15T02:50:15Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795886#M493359 <HTML><HEAD></HEAD><BODY><P> Yes,</P><P> It is our main Internet firewall and also used for client VPN access. I have read that RRAS has some dynamic MTU negotiation that can supposedly be set to not do the negotiation but not sure if that will help.</P></BODY></HTML> Tue, 15 Nov 2011 02:55:19 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795886#M493359 mabouchard 2011-11-15T02:55:19Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795887#M493361 <HTML><HEAD></HEAD><BODY><P>What I am concern about is the Overhead that NAT and GRE can cause to the packets, hence making the packet to big and the firewall has to fragment it.... Have you changed the MTU on the ASA? Can you run a capture inside and outside of the firewall to see how big the packets are? </P><P></P><P>Mike </P></BODY></HTML> Tue, 15 Nov 2011 03:19:01 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795887#M493361 Maykol Rojas 2011-11-15T03:19:01Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795888#M493363 <HTML><HEAD></HEAD><BODY><P> I verified that MTU on the outside interface of the ASA was 1500. I will need to look at doing a packet capture. From what I understand 1500 is as high as you can go on a 5520? What would a solution be if they were larger than that?</P></BODY></HTML> Tue, 15 Nov 2011 04:04:01 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795888#M493363 mabouchard 2011-11-15T04:04:01Z https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795889#M493364 <HTML><HEAD></HEAD><BODY><P>I dont really think they would be... The captures need to be on both interfaces... inside and outside, here is an example. Here is the link on how to configure the captures...</P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-1222">https://supportforums.cisco.com/docs/DOC-1222</A></P><P></P><P>Mike </P></BODY></HTML> Tue, 15 Nov 2011 05:05:13 GMT https://community.cisco.com/t5/network-security/pptp-performance-through-asa5520-very-poor/m-p/1795889#M493364 Maykol Rojas 2011-11-15T05:05:13Z