I just deployed one Cisco SA540 and three SA520s.
The SA540 is at the Main Site.
The three SA520s are the the spoke sites.
Downstream Speed: 32 Mbps
Upstream Speed: 9.4 Mbps
Downstream Speed: 3.6 Mbps
Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
The SA tunnels are "Established"
I see packets being tranmsitted and received.
Pinging across the tunnel has an average speed of 32 ms (which is good).
DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
It takes about 15 minutes to print across the vpn tunnel.
The remedy this, we have implemented Terminal Services across the Internet.
Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
Logging on to the network takes about 10 minutes over the vpn tunnel.
Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
I have used ASAs before in other implementation without any issues at all.
I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
I just know that my experience with the Cisco TAC has been great for the last 10 years.
My short experience with the Cisco Small Business Support Center has not been as great at all.
I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.
A few of my clients have SA540's and there have been some issues. I have found using the packet trace facility on the diagnostics page (Administration > Diagnostics) is helpful in troubleshooting such issues. You can download Wireshark to examine the trace.
Make sure you have the lastest firmware on the SA540. There is a new release candidate firmware not yet available on the download site, which you can request (ver. 2.1.45).
Thank you Anthony,
I will try both of your recommendations and let you know what I find.
Do you think that replacing the SA540 at the Main Site, with one of my spare SA520s is a viable option to try?
If I were you, I would want to know why the problem exists. If you replace the SA540 and its replacement works better, you won't really know whether you have a failed or a misconfigured SA540. A packet trace should give you enough information to answer that question.
I agree!. My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
But I want to know WHY this is happening too.
I will definitely run a sniffer trace to see what is happening.
Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
1. Upgrade the SA540 at the Main Site to 2.1.45.
2a. For cable connections, use the standard MTU of 1500 bytes.
2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
ping -f -l packetsize
Perform the items below to see if this increases performance:
I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
3a. Lower the IKE encryption algorithm from "AES-128" to DES.
3b. Lower the IKE authentication algorithm to MD5
3c. Also do the above for the VPN Policy
Any input is welcome!
I thought you might be interested to know I replicated your slow performance across a VPN using a SA540 to a WatchGuard firewall. It took more than 15 minutes to login (firmware version 2.1.18. After that first attempt, the next logins moved much faster in line with what you might expect of an older Windows XP computer logging into an AD domain (less than 2 minutes, which is still slow). I haven't spent anytime to find out why the initial login took so long, but I am guessing it had something to do with the loading of the Windows policy and profile.