Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
0
Helpful
1
Replies

Asa 5506-X site-to-site link slow

mmzzaq
Level 1
Level 1

‎01-24-2018 04:40 AM - edited ‎03-12-2019 04:56 AM

Hi,

 

Recently I have setup a site-to-site VPN link between an Asa 5506-X and a Meraki MX64. The link is pretty stable but the transfer speeds between sites are too slow. When I copy a large 4,7GB file in either direction with Windows Explorer (SMB traffic), the speed is around 24 Mb/s (3 MB/s). The same goes for FTP traffic in either direction. When I disable the site-to-site link and setup a dial-in VPN connection with a Windows client on site A and a Windows VPN server on site B, the transfer speeds are around 80 Mb/s (10 MB/s). Both internet connections on site A and site B are rated 100/100 Mb/s. I have verified these speeds with independent speed tests where they show around 93/93 Mb/s. According to the product specs of both gateways, they should be able to do 100 Mb/s VPN throughput.

 

As for troubleshooting, among other things I have adjusted the MTU size on both ends to around 1380 but that didn't make a difference. I've also been on the phone with Meraki and Cisco for literally hours and hours but they were unable to find the problem. Does anyone know what the issue might be? I'm suspecting either one of the devices not being able to work such a VPN throughput but I want to rule out configuration issues.

 

Asa #show run is attached to the bottem of this post (attachment). Also, here's my network diagram:  

large.png

 

 

siteagw1# show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
Site-to-Site VPN             :      1 :          4 :           1
  IKEv1 IPsec                :      1 :          4 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      1             Total Cumulative :      4
Device Total VPN Capacity    :     50
Device Load                  :     2%
---------------------------------------------------------------------------
siteagw1# show crypto ikev1 sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 222.222.222.222
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

 

Labels:
Preview file
12 KB
0 Helpful
1 Reply 1

GioGonza
Level 4
Level 4

‎01-24-2018 09:20 AM

Hello @mmzzaq

 

I would say you need to try placing some captures on every device in the path for this traffic at the same time, my recommendation is to place wireshark on the machines and captures on the inside interfaces of the ASA in order to check the reason for the slowness and then see where in the path is present. 

 

If you can upload them, I can review them. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents