Solved: Slow performance through L2L vpn tunnel

henrikj · ‎07-09-2019

Hi

I´ve setup a L2L tunnel between a frp2140 (running ftd) and a frp2120 (running asa).

internet speed on site frp2140 = 2Gb

internet speed on site frp2120 = 1Gb

Trafic on frp2140 is fastpath in prefilter policy

cisco ipsec vpn performance numbers:

2140 ~ 3.2Gb (ftd) - i´m running 6.2.3.13

2120 ~ 700Mb (asa) - i´m running 9.6

But when i test with iperf (udp 450b packets size with 20 treads) through tunnel i get max 300 Mb....WHY...

2140 - testing iperf towards internet (not through vpn tunnel) i get 1-1,5 Gb (trafic is fastpath)

2120 - testing iperf towards internet (not through vpn tunnel) i get 900Mb

Any ideas why my performance is so degraded ?

/Henrik

henrikj · ‎07-10-2019

Hi

thanks for you reply.

I don´t quite understand how splitting SA´s will help server-to-server traffic..

/Henrik

View solution in original post

balaji.bandi · ‎07-09-2019

It all depends on how you testing other suggestion is check with iperf tool see what you can see site to site speeds.

Check the Tunnerl MTU Settings, and see if you can tweak- again we need to know how the traffic intercepting in the FW.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

henrikj · ‎07-10-2019

hi

thanks for you reply.

Where do i change the tunnel MTU - we are running asa/ftd ?

Rahul Govindan · ‎07-09-2019

Are you using a single SA for the tunnel? I believe there are some limitations on how much data you can send via a single tunnel SA. Try splitting it up into 10 different SA's and send a combined throughput of 1Gbps through all the tunnels.

Also, the ASA OS balances the crypto accelerator resources between IPsec and SSL. So if you want to test IPsec max performance, you will have to set the bias towards IPsec:

crypto engine accelerator-bias ipsec

This command needs to be applied via Flexconfig.

henrikj · ‎07-10-2019

Hi

thanks for you reply.

I don´t quite understand how splitting SA´s will help server-to-server traffic..

/Henrik

henrikj · ‎07-11-2019

Hi All

i found out that the firepower 2100 series can perform between 200 ~ 300 Mb pr. SA - so splitting up SA is the solution.

Working as designed :-(

/Henrik

motasemalazzeh · ‎02-22-2020

Hi @henrikj

can you please let me know how you split the SA on FTD ?

Rob Ingram · ‎02-22-2020

Hi @motasemalazzeh

In your ACL defining the VPN interesting traffic, if you have a network such as 192.168.8.0/22 you could split that up in to 2 x /23 or 4 x /24 networks, thus when a VPN is established this will create multiple SAs.

HTH

CharlesGaskin8417 · ‎08-20-2020

Can someone please share the documentation on the Cisco 2100 FTD series only being able to perform between 200 ~ 300 Mb per. SA ?

KevinKevin77455 · ‎12-22-2020

Hi, can you please publish where you found it out ??? Links please

KevinKevin77455 · ‎12-24-2020

See:

IPSec bandwith Limitations Firepower 2140