Horrible VPN tunnel performance

Colin Higgins · ‎06-26-2013

I have an IPSec L2L VPN set up between two ASA 5515X devices.

Each side has 50mbs of Internet bandwidth available (DS3 and Business-class cable)

I have set the MTU on the outside interfaces to 1380

I have also enabled

crypto ipsec df-bit clear-df outside

The tunnel is up wihout any errors. Show crypto ipsec sa shows packets being encrypted properly. I can ping hosts on either end and get 20-24ms response times with no packet loss.

However, I can only get 1-2mbs of upload and download through this tunnel (while outside the tunnel I am getting 40mbs+).

There are no speed/duplex mismatches between the ASAs and neighboring switches.

I am not sure what the issue here is.

Here is the rest of the config (relevant parts)

object network Engineering-Network

subnet 192.168.120.0 255.255.255.0

description Internel Engineering Subnet

object network CA-Servers

subnet 172.25.12.0 255.255.255.0

object network Engineering-Voice

subnet 192.168.121.0 255.255.255.0

description Engineering voice traffic

access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip 192.168.121.0 255.255.255.0 172.25.0.0 255.255.0.0

nat (inside,outside) source static Engineering-Network Engineering-Network destination static CA-Servers CA-Servers no-proxy-arp route-lookup

nat (inside,outside) source static Engineering-Voice Engineering-Voice destination static CA-Servers CA-Servers no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto map outside_map1 1 match address outside_cryptomap

crypto map outside_map1 1 set pfs

crypto map outside_map1 1 set peer <address hidden>

crypto map outside_map1 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map1 interface outside

crypto ikev1 enable outside

!

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1

tunnel-group <hidden> type ipsec-l2l

tunnel-group <hidden> general-attributes

default-group-policy GroupPolicy1

tunnel-group <hidden> ipsec-attributes

ikev1 pre-shared-key <hidden>

Any advice would be great--I am really stuck here.

orvym1014 · ‎06-26-2013

Suffering from the same issue, when using Cisco Anyconnect Secure Mobility Client vers. 3.1.02040...

Without AnyConnect Client loaded, average around 55 MBPS Connection Speeds; with AnyConnect Client loaded, max upload/download speed is 1-3 MBPS... Have tried everything but cannot figure out what issue is ...

Michael Muenz · ‎06-26-2013

I don't thing setting the external MTU is enough since IPSec also had an overhead. Can you set MSS to 1300 for TCP connections.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Colin Higgins · ‎06-27-2013

Michael: when I set the mtu on the outside to 1380, performance was even worse.

Should I do something with the tcp mss?

Michael Muenz · ‎06-27-2013

When you set the outside MTU smaller, your packets also will be fragmented.

Leave the outside MTU as it is and set the TCP MSS to 1300.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Colin Higgins · ‎06-27-2013

Actually, performance is about the same. When I run iperf.exe, I am getting 2.4mbs through the tunnel

I tried sysopt connection tcpmss 1380 (which is a default anyway), but it didn't make any difference.

Michael Muenz · ‎06-27-2013

Ok, and you measure with TCP test right? What happens to the ping responses during the test?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Colin Higgins · ‎06-27-2013

I've tested from network to network, using packet sizes of 1300-1500.

Response times are typically 20-38ms across the board.

Not seeing any packet loss or problems with the tunnel.

Shaoqin Li · ‎06-27-2013

try to modify tcp mss on ASA

sysopt connection tcp-mss 1300

Sent from Cisco Technical Support iPad App

Colin Higgins · ‎06-27-2013

well that helped a bit: I am getting 3.45mbs now on iPerf, but the connection to the Internet is 100mbs on one side and 44mbs on the other (DS3), so it is still really slow.

Michael Muenz · ‎06-27-2013

Sorry, I'm not from the US ... is the upload on a DS3 the same as download?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Colin Higgins · ‎06-27-2013

Yes, the upload and download are the same

Colin Higgins · ‎07-18-2013

Well it looks like my performance problems are not confined to the VPN tunnel

Even after adjusting the tcp mss and mtu (to 1300), I am getting poor throughput.

In an effort to troubleshoot this, I connected my laptop intot he comcast router (it has an integrated switch) and ran iperf between an inside host (behind the ASA) and this machine. I got 1mbs throughput!

What is going on here? Is there something about iperf that gives strange results through an ASA?

Is there an issue with the ASA5515X model?

James Leinweber · ‎07-19-2013

TCP iperf should run through an otherwise unloaded ASA at the lesser of the interface speed or the backplane speed, e.g. I can pump about 620 Mb/s through an ASA 5520 and about 940 Mb/s through an ASA 5525-x. I have enough trouble with OS stacks for UDP iperf that I don't have a good feel for what the ASA limits might be on that protocol.

I know you said there were no speed/duplex mismatches between the ASA and the switches, but triple check that; it sure acts like some kind of hardware problem. Bad cable, cable that won't stay fully seated, bad port, something.

-- Jim Leinweber, WI State Lab of Hygiene