I´ve setup a L2L tunnel between a frp2140 (running ftd) and a frp2120 (running asa).
internet speed on site frp2140 = 2Gb
internet speed on site frp2120 = 1Gb
Trafic on frp2140 is fastpath in prefilter policy
cisco ipsec vpn performance numbers:
2140 ~ 3.2Gb (ftd) - i´m running 18.104.22.168
2120 ~ 700Mb (asa) - i´m running 9.6
But when i test with iperf (udp 450b packets size with 20 treads) through tunnel i get max 300 Mb....WHY...
2140 - testing iperf towards internet (not through vpn tunnel) i get 1-1,5 Gb (trafic is fastpath)
2120 - testing iperf towards internet (not through vpn tunnel) i get 900Mb
Any ideas why my performance is so degraded ?
Solved! Go to Solution.
It all depends on how you testing other suggestion is check with iperf tool see what you can see site to site speeds.
Check the Tunnerl MTU Settings, and see if you can tweak- again we need to know how the traffic intercepting in the FW.
Are you using a single SA for the tunnel? I believe there are some limitations on how much data you can send via a single tunnel SA. Try splitting it up into 10 different SA's and send a combined throughput of 1Gbps through all the tunnels.
Also, the ASA OS balances the crypto accelerator resources between IPsec and SSL. So if you want to test IPsec max performance, you will have to set the bias towards IPsec:
crypto engine accelerator-bias ipsec
This command needs to be applied via Flexconfig.
i found out that the firepower 2100 series can perform between 200 ~ 300 Mb pr. SA - so splitting up SA is the solution.
Working as designed :-(