10-06-2010 08:53 AM - edited 02-21-2020 04:06 AM
We have an office in Asia which is connected to our New York location using l2l IPSec through the internet. They claim that they have guaranteed bandwidth of 2MB with their local ISP. They are using MRTG apllication to monitor the bandwith and it is reporting that only 512K is being utilized on the link. They think it is something with the firewall or it is because of the IPSec. We have the IPSec interface set to auto negotiation and the interface stats does not seem to be anything out of the ordinary. What could it be ?
10-06-2010 11:03 AM
It could be drops in the path between the 2 ISP endpoints.
500Kbps for VPN are probably not enough to oversubscribe the ASA. Make sure you are not high cpu (sh cpu" will show it). And if the device is not high CPU it is probably not due to VPN oversubscription.
Then, in order to see if there is packet loss in the path I would capture packets on the endpoints and try to see if there are packets that leave one endpoint and don't make it to the other. IP ids are unique in the capture, so you can use them to identify the packets.
I hope it helps.
PK
10-06-2010 11:32 AM
It could be the application. The latency between Asia and New York might be to high to let the TCP frame size
ramp up.Try putting some sort of WAN killer behind it and see what your true non-application restricted throughput is.
To your original question. No, there is no bandwidth limitation in IPSEC. Only hardware limitations of the crypto engin, but that only applies when you get into much higher BW numbers. (Unless you have a 2611 which does under 1M of 3DES throughput.)
Another thing your may want to consider is the MTU of the link. Try setting the MTU down to 1360 on the incoming interfaces or ip tcp adjust-mss 1360. This will prevent the applications from over ramping the TCP windows.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide