Cisco ASA Ipsec VPN throughput

Skevich17 · ‎12-18-2020

I have 2 sites, with ASA 5510 and IPSEC VPNs. When i try to copy file from one site to other, the speed cant raise over 1mbps.

Also on one site CPU is utilized around 80-90%, mostly by process Dispatch_Unit. But even when CPU is around 15%, the speed of one session cant raise over 1mbps.

Skevich17 · ‎12-18-2020

show traffic command shows some drops on outside interface, where vpns are builded.

outside:
        received (in 18631.890 secs):
                139613110 packets       143249950639 bytes
                7032 pkts/sec   7688197 bytes/sec
        transmitted (in 18631.890 secs):
                97181437 packets        24537396345 bytes
                5215 pkts/sec   1316034 bytes/sec
      1 minute input rate 6245 pkts/sec,  5798663 bytes/sec
      1 minute output rate 4196 pkts/sec,  852399 bytes/sec
      1 minute drop rate, 8 pkts/sec
      5 minute input rate 7476 pkts/sec,  7446379 bytes/sec
      5 minute output rate 4882 pkts/sec,  1011055 bytes/sec
      5 minute drop rate, 15 pkts/sec

PCAP shows dup ACKS.

After i removed VPN-Filters from IPSEC vpns, CPU went down to ~50%, but the speed of one session through vpn is the same

Skevich17 · ‎12-18-2020

show asp drop command

Frame drop:
  IPSEC tunnel is down (ipsec-tun-down)                                       24
  VPN reclassify failed (vpn-reclassify-failed)                                1
  No valid adjacency (no-adjacency)                                       215508
  No route to host (no-route)                                                335
  Flow is denied by configured rule (acl-drop)                            254716
  Invalid SPI (np-sp-invalid-spi)                                              1
  First TCP packet not SYN (tcp-not-syn)                                    9431
  TCP failed 3 way handshake (tcp-3whs-failed)                             57633
  TCP RST/FIN out of order (tcp-rstfin-ooo)                               203490
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                         10405
  TCP SYNACK on established conn (tcp-synack-ooo)                             55
  TCP packet SEQ past window (tcp-seq-past-win)                              775
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  11
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                   1
  TCP packet failed PAWS test (tcp-paws-fail)                               1895
  SSL first record invalid (ssl-first-record-invalid)                          1
  Slowpath security checks failed (sp-security-failed)                     11718
  ICMP Inspect bad icmp code (inspect-icmp-bad-code)                           1
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)        138
  DNS Inspect id not matched (inspect-dns-id-not-matched)                    335
  FP L2 rule drop (l2_acl)                                                   650
  Interface is down (interface-down)                                           7
  Dropped pending packets in a closed socket (np-socket-closed)              318
  IKE new SA limit exceeded (ike-sa-rate-limit)                             1394
  IKE new SA global limit exceeded (ike-sa-global-rate-limit)                 85
  Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool)                             162

Last clearing: Never

Flow drop:
  Tunnel has been torn down (tunnel-torn-down)                                 2
  Need to start IKE negotiation (need-ike)                                  5140
  VPN handle not found (vpn-handle-not-found)                                  4
  NAT reverse path failed (nat-rpf-failed)                                 22748
  Inspection failure (inspect-fail)                                        53538
  SSL bad record detected (ssl-bad-record-detect)                              8
  SSL handshake failed (ssl-handshake-failed)                                 23