Poor site-to-site VPN performance

alex.long · ‎01-24-2012

I am having poor performance through an IPSec VPN between two Cisco ASA 5505s. In researching, I found some discussion about setting the MTU for the VPN. So from one side of the VPN tunnel, I tried pinging a host on the other side specifying the Don't Fragment flag and testing different packet sizes. I found that a size of 1398 is the largest packet size that results in a successful ping.

So, I also understand that I should be able to set the MTU to 1426 (1398 + 28 bytes for the IP and ICMP headers). What I'm not 100% clear on is where all I need to set this. Do I set the MTU for the outside interface of the ASA that the VPN tunnel is going through, or do I also need to set the MTU for the inside interface, or on the outside interface and the switch port that the interface is connected to (switch port is set to an MTU of 1500 as well)?

My thoughts are that only the outside interface of each ASA needs the lower MTU (currently set at the default of 1500). Could someone give me some guidance on this?

Mohamed Sobair · ‎01-24-2012

Hello,

This is because IPSec add additional Headers to the Original Packets, If ping is allowed an you examine such performance, I would recommend decreasing the MTU size of the Outside ASA interface to at least 1392. This attribute is not arbitary, following is the break down of the additional headers:

1- ESP Header: 56 Byte

2- AH : 24 Byte

3- NAT-T (IPsec over UDP): 8 byte

4- IP header: 20 Byte

Total = 108

1500 (Default MTU) - 108 = 1392

Note that if you are using IPsec Ovet TCP, you should subtract 20 Byte instead of 8, so the MTU Size would be 1380 and this is the optimal Size.

You can change the MTU Size of the ASA outside Interface by issuing the following command in the config mode:

(mtu Outside 1380).

Regards,

Mohamed

William Reed · ‎11-14-2013

Did you ever get your problem fixed? I am having similar issues.