Showing results for 
Search instead for 
Did you mean: 

Delay in response vpn

  Hi all,

I have site to site vpn where i am facing slow resposne when i access or ping other site ,Please let what are the reason for slowness.


How fast are your connections? Do you see a slow ping response when you ping from device to device on their external addresses? What devices are you using? What is the CPU showing on the devices, eg are they under load?

Sent from Cisco Technical Support iPhone App

Vishnu Sharma

Hi Jibin,

If your internet access is faster as compared to what you see across the VPN tunnel then please follow the below mentioned steps.

I hope scenario at your end is somethinglike this:

Host A( Tunnel========(ASA2)----------Host B(

Now you are saying that the ping between the host A and host B is slow. Please correct me if I am wrong but if I am correct then please try the ping test.

From Host A (if it is a windows machine) open the command prompt and enter this command: ping -f -l 1400

In general you will get this message: "Packet needs to be fragmented but DF set" or you will see a successful reply.

If you see the packet need to be fragmented message then try to reduce the size of the packet being sent across the VPN tunnel i.e. instead of using 1400, try 1380 and the command becomes ping -f -l 1380 you will have to keep reducing the size of the packet as we did from 1400 to 1380 and further to 1360 and so on until you receive a successful reply.

Try the same thing from Host B to Host A and lets say you receieve a successful reply at 1350 then run the command on the ASA "show run all sysopt" and you will see some what similar output:

no sysopt connection timewait

sysopt connection tcpmss 1380 <--This is the command that we need to play with

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp outside

For example, if you recieve reply at 1350 then reduce 50 ( approx. ipsec header size) from 1350 and set the sysopt connection tcp mss to 1300 and if you received reply at 1300 then after reducing 50, we will set the tcp mss to 1250.

i.e. on the ASA set tcp mss size to 1300 or 1250.

Also apply this command: crypto ipsec df-bit clear-df inside on both the ASA's.

Please follow these steps on both the ASA's and let me know if this helps.


Vishnu Sharma

Hi ,

Thank you for replay ,it is  good steps to follow

crypto ipsec df-bit clear-df inside : what this command does

Hi Jibin,

Please go through the link:

This link will give you clear understanding of this command.


Vishnu Sharma