Hi All,

I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:

1.     SIte to Site VPN is up and running perfectly.

2.     Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.

3.     The outside interface is at line speed - approximately 5-6MBits per second.

4.     When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.

5.     The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.

6.     Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)

7.     Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.

8.     All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.

Current Environment Traffic Flow:   

1.     All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.

2.     The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.

3.     Memory is stable at roughly 190Mb out of 512Mb

4.     CPU is constant at approximately 12%.

5.     WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.

Current Issues:

1.     Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).

2.     Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).

3.     I ping the IP address of the exact same server and the latency is still 400ms.

4.     Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.

5.     I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).

6.     I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.

7.     I flush dns, same issue for 5/6.

8.     I clear xlate on the ASA and the same issue persists.

9.     I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.

I am currently out of ideas and would like some advice on what I have actually missed.

Things I suspect that I may need to do:

1.     Upgrade IOS to latest version (Other than that - I'm out of ideas).

***********************************************************************************************************************************************************************

ASA Version 8.2(1)

!

hostname BLAH

enable password x.x.x.x encrypted

passwd x.x.x.x encrypted

names

name x.x.x.x BLAHPC

name 8.8.8.8 Google-DNS description Google-DNS

name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri

name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec

name 203.96.152.4 TelstraClearPri description TCL-PRI

name 203.96.152.12 TelstraClearSec description TCL-Sec

name x.x.x.x BLAH_Network description BLAH-Internal

name x.x.x.x DC description DC VPN Access

name x.x.x.x Management-Home description Allow RDP Access from home

name x.x.x.x SentDC description BLAHDC

name x.x.x.x Outside-Intf

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address x.x.x.x 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoex

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!

banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.

banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!

ftp mode passive

clock timezone WFT 12

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server Google-DNS

name-server Telecom-Alien-Pri

name-server Telecom-Terminator-Sec

name-server TelstraClearPri

name-server TelstraClearSec

object-group service RDP tcp

description RDP

port-object eq 3389

object-group network BLAH-US

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

object-group network x.x.x.x

network-object x.x.x.x 255.255.255.0

network-object  x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

object-group service Management_Access_Secure

description Management Access - SECURE

service-object tcp eq https

service-object tcp eq ssh

service-object tcp eq 4434

object-group service FileTransfer tcp

description Allow File Transfer

port-object eq ftp

port-object eq ssh

object-group service WebAccess tcp

description Allow Web Access

port-object eq www

port-object eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service AD_Access udp

description Allow Active Directory AD ports - UDP Only

port-object eq 389

port-object eq 445

port-object eq netbios-ns

port-object eq 636

port-object eq netbios-dgm

port-object eq domain

port-object eq kerberos

object-group network DM_INLINE_NETWORK_2

group-object x.x.x.x

group-object x.x.x.x

object-group network DM_INLINE_NETWORK_3

group-object x.x.x.x

group-object x.x.x.x

object-group network BLAH_DNS

description External DNS Servers

network-object host Telecom-Alien-Pri

network-object host Telecom-Terminator-Sec

network-object host TelstraClearSec

network-object host TelstraClearPri

network-object host Google-DNS

object-group service AD_Access_TCP tcp

description Active Directory TCP protocols

port-object eq 445

port-object eq ldap

port-object eq ldaps

port-object eq netbios-ssn

port-object eq domain

port-object eq kerberos

port-object eq 88

object-group network DM_INLINE_NETWORK_4

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

object-group network DM_INLINE_NETWORK_5

network-object x.x.x.x 255.255.255.0

network-object x.x.x.x 255.255.255.0

object-group network DM_INLINE_NETWORK_6

group-object x.x.x.x

group-object x.x.x.x

object-group network DM_INLINE_NETWORK_1

group-object x.x.x.x

group-object x.x.x.x

access-list inside_access_in remark Allow Internal ICMP from BLAH

access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2

access-list inside_access_in remark Allow Internal ICMP to BLAH

access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0

access-list inside_access_in remark External DNS

access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain

access-list inside_access_in remark Allows Web Access

access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess

access-list inside_access_in remark Allow Remote Desktop Connections to the Internet

access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP

access-list inside_access_in remark Allow File Transfer Internet

access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer

access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos

access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access

access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos

access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP

access-list inside_access_in extended permit ip any any

access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6

access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US

access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA

access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0

access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US

access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA

access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0

access-list inbound extended permit icmp any any

access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224

access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_access_in extended permit icmp any any

pager lines 24

logging enable

logging monitor informational

logging buffered notifications

logging trap informational

logging asdm informational

logging class auth monitor informational trap informational asdm informational

mtu inside 1500

mtu outside 1492

ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0

ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 BLAH 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable RANDOM PORT

http 0.0.0.0 0.0.0.0 outside

http x.x.x.x x.x.x.x inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1428

sysopt connection tcpmss minimum 48

auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!

auth-prompt accept Accepted

auth-prompt reject Denied

service resetoutside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh x.x.x.x 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname **************

vpdn group pppoex ppp authentication pap

vpdn username ************** password PPPOE PASSPHRASE HERE

dhcpd auto_config outside

!

dhcpd address x.x.x.x/x inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server x.x.x.x source outside prefer

tftp-server outside x.x.x.x /HOSTNAME

webvpn

group-policy DfltGrpPolicy attributes

banner value Testing ONE TWO THREE

vpn-idle-timeout 300

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value outside_cryptomap_65535.1

user-authentication enable

nem enable

address-pools value Remote-Access-DHCP

webvpn

  svc keepalive none

  svc dpd-interval client none

USER CREDENTIALS HERE

vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key SITETOSITE PSK

peer-id-validate nocheck

tunnel-group DefaultRAGroup general-attributes

authorization-server-group LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key CLIENTTOSITE PSK

peer-id-validate nocheck

isakmp keepalive disable

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

authentication eap-proxy

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

tunnel-group-map default-group DefaultL2LGroup

!

class-map inspect_default

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

!

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f

: end