Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2242
Views
0
Helpful
1
Replies

Asa 5510 Ipsec Tunnel high latency "inside the tunnel" not outside

dmooreami
Level 3
Level 3

‎09-22-2012 06:19 PM - edited ‎02-21-2020 06:21 PM

running asa 5510's using AES-128 with SH and Diffe 5 on both sides or site-2-site Ipsec tunnel. Each Asa is running the 8.2.5(33).  Have a site-to-site Ipsec tunnel setup.  The ping times from asa-a to asa-b over the internet is 35ms, yet inside the tunnel it is around 300ms. WTH?

I used the vpn wizard to set the tunnels. my intresting traffic is a 10.122.20.0/24 to 10.194.20.0/24 subnets on either side. Ping times inside the tunnel as I mentioned are 300ms drop to 40ms and back up to 300ms. The CPU is not being maxed out. Memory isn't being maxed out.

Have never seen this behaviour before. I also noticed that with 8.2.5(33) that I have to add indivudual endpoints to the NAT0 for some reason or I get "portmap translation errors" form hosts that are in the 10.122.20.x/24 range, what is up with that. 

Normally I run 8.0.5 code. But on these firewally decided on the 8.2 track because I needed the "netflow" ability of 8.2.x. 

Any ideas? Opening up a TAC ticket on Monday.

Thanks.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

dmooreami
Level 3
Level 3

‎09-23-2012 12:22 PM

Think I have have fixed this latency by putting in an "ip verify reverse-path interface inside" on both side of the ipsec tunnel.  Only one side had it.

Will update as get this fixed. problem now is a "reverse nat failure" with my site-to-site tunnel.

0 Helpful
Customers Also Viewed These Support Documents