How fast are your connections? Do you see a slow ping response when you ping from device to device on their external addresses? What devices are you using? What is the CPU showing on the devices, eg are they under load?
Sent from Cisco Technical Support iPhone App
If your internet access is faster as compared to what you see across the VPN tunnel then please follow the below mentioned steps.
I hope scenario at your end is somethinglike this:
Host A(10.10.10.1)----------(ASA1)=======VPN Tunnel========(ASA2)----------Host B(192.168.10.1)
Now you are saying that the ping between the host A and host B is slow. Please correct me if I am wrong but if I am correct then please try the ping test.
From Host A (if it is a windows machine) open the command prompt and enter this command: ping -f -l 1400 192.168.10.1.
In general you will get this message: "Packet needs to be fragmented but DF set" or you will see a successful reply.
If you see the packet need to be fragmented message then try to reduce the size of the packet being sent across the VPN tunnel i.e. instead of using 1400, try 1380 and the command becomes ping -f -l 1380 192.168.10.1. you will have to keep reducing the size of the packet as we did from 1400 to 1380 and further to 1360 and so on until you receive a successful reply.
Try the same thing from Host B to Host A and lets say you receieve a successful reply at 1350 then run the command on the ASA "show run all sysopt" and you will see some what similar output:
no sysopt connection timewait
sysopt connection tcpmss 1380 <--This is the command that we need to play with
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
For example, if you recieve reply at 1350 then reduce 50 ( approx. ipsec header size) from 1350 and set the sysopt connection tcp mss to 1300 and if you received reply at 1300 then after reducing 50, we will set the tcp mss to 1250.
i.e. on the ASA set tcp mss size to 1300 or 1250.
Also apply this command: crypto ipsec df-bit clear-df inside on both the ASA's.
Please follow these steps on both the ASA's and let me know if this helps.
Please go through the link: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html#wp1023535
This link will give you clear understanding of this command.