cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

261
Views
5
Helpful
5
Replies
Highlighted
Beginner

Slow performance through L2L vpn tunnel

Hi

I´ve setup a L2L tunnel between a frp2140 (running ftd) and a frp2120 (running asa).

internet speed on site frp2140 = 2Gb

internet speed on site frp2120 = 1Gb

Trafic on frp2140 is fastpath in prefilter policy

 

cisco ipsec vpn performance numbers:

2140 ~ 3.2Gb (ftd) - i´m running 6.2.3.13

2120 ~ 700Mb (asa) - i´m running 9.6

But when i test with iperf (udp 450b packets size with 20 treads) through tunnel i get max 300 Mb....WHY...

2140 - testing iperf towards internet (not through vpn tunnel) i get 1-1,5 Gb (trafic is fastpath)

2120 - testing iperf towards internet (not through vpn tunnel) i get 900Mb

 

Any ideas why my performance is so degraded ?

 

/Henrik

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Slow performance through L2L vpn tunnel

Hi

thanks for you reply.

I don´t quite understand how splitting SA´s will help server-to-server traffic..

/Henrik

5 REPLIES 5
VIP Advisor

Re: Slow performance through L2L vpn tunnel

It all depends on how you testing other suggestion is check with iperf tool see what you can see site to site speeds.

Check the Tunnerl MTU Settings, and see if you can tweak- again we need to know how the traffic intercepting in the FW.

 

 

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: Slow performance through L2L vpn tunnel

hi

thanks for you reply.

Where do i change the tunnel MTU  - we are running asa/ftd ?

VIP Advocate

Re: Slow performance through L2L vpn tunnel

Are you using a single SA for the tunnel? I believe there are some limitations on how much data you can send via a single tunnel SA. Try splitting it up into 10 different SA's and send a combined throughput of 1Gbps through all the tunnels. 

 

Also, the ASA OS balances the crypto accelerator resources between IPsec and SSL. So if you want to test IPsec max performance, you will have to set the bias towards IPsec:

 

crypto engine accelerator-bias ipsec

 

This command needs to be applied via Flexconfig. 

Beginner

Re: Slow performance through L2L vpn tunnel

Hi

thanks for you reply.

I don´t quite understand how splitting SA´s will help server-to-server traffic..

/Henrik

Beginner

Re: Slow performance through L2L vpn tunnel

Hi All

i found out that the firepower 2100 series can perform between 200 ~ 300 Mb pr. SA - so splitting up SA is the solution.

Working as designed :-(

 

/Henrik