cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5880
Views
0
Helpful
6
Replies

ASA Site-to-Site VPN - Poor Performance

rgeist554
Level 1
Level 1

Hello,

I've got two sites using ASA 5505's connected with an IPsec tunnel.

Site 1 has a 50Mb symmetrical pipe

Site 2 has a 45Mb symmetrical pipe

Site 1 has normal access speeds and contains all of the servers, etc.

Site 2 accesses all of the resources from Site 1

My Problem:

Site 2 gets a maximum of 4Mbs throughput through every single test I've thrown at it. No matter what I change, I can't seem to get normal performance of 45Mb/s.

If I disable the VPN, then I get the full 45Mb/s speed from Site 2 to the internet.

What I've done so far:

I've set the MTU on the outside interface of each ASA to be anywhere from 1300-1380 as suggested in some Cisco documents. I've also adjusted the TCP-MSS value from 1300-1380 and this made the connection so slow that my users all complained that they were unable to work.

If I run a test for fragmentation (Ex. "ping -f -l 1380 <site2>") I get fragmentation messages until I reduce the packet size to 1280 or below, but I don't want to set my MTU values on the ASA that low because I don't know the repercussions.

Does anyone have any advice on what to do next?                   

6 Replies 6

Santhosha Shetty
Cisco Employee
Cisco Employee

Hi ,

Where are you doing these PING tests to determine MAX MTU along the path?  Are you doing these tests over vpn tunnel or internet?

You can try following deal with fragmentation:

>>crypto ipsec fragementation before-encryption

>>crypto ipsec df-bit clear-df outside

The DF bit with IPSec tunnels feature lets you specify whether the security appliance can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether a device is allowed to fragment a packet.

Use the crypto ipsec df-bit command in global configuration mode to configure the security appliance to specify the DF bit in an encapsulated header.

When you encapsulate tunnel mode IPSec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also this setting is appropriate if you do not know the available MTU size.




What throughpt do you see for internet traffic?

Thanks,

Santhosh Shetty


rgeist554
Level 1
Level 1

I did the ping test on either side of the tunnel pinging from one side to the other side.

After running the above commands I'm able to run the pings accross the tunnel without any fragmenation issues.

This made my internet speed at the other site increase as I'm now getting about 10 Mb/s up and down. Throughput across the tunnel is still very low though.

Hi Ryan,

Is it possible for you to do a packet capture on both ends of the tunnel at the same time? both clear text and ESP traffic.

Thanks,

Santhosh

Hello Jon, let me know if the captures below work for you. The traffic in question is between 192.168.101.x and 192.168.3.x

I noticed that when I looked at the TCP Throughput the graph was absolutely all over the place.

Regards.

Mohammad Alhyari
Cisco Employee
Cisco Employee

Email me once you have time to work on this.

Sent from Cisco Technical Support Android App

William Reed
Level 1
Level 1

Did you ever get this fixed?