06-26-2013 01:08 PM
I have an IPSec L2L VPN set up between two ASA 5515X devices.
Each side has 50mbs of Internet bandwidth available (DS3 and Business-class cable)
I have set the MTU on the outside interfaces to 1380
I have also enabled
crypto ipsec df-bit clear-df outside
The tunnel is up wihout any errors. Show crypto ipsec sa shows packets being encrypted properly. I can ping hosts on either end and get 20-24ms response times with no packet loss.
However, I can only get 1-2mbs of upload and download through this tunnel (while outside the tunnel I am getting 40mbs+).
There are no speed/duplex mismatches between the ASAs and neighboring switches.
I am not sure what the issue here is.
Here is the rest of the config (relevant parts)
object network Engineering-Network
subnet 192.168.120.0 255.255.255.0
description Internel Engineering Subnet
object network CA-Servers
subnet 172.25.12.0 255.255.255.0
object network Engineering-Voice
subnet 192.168.121.0 255.255.255.0
description Engineering voice traffic
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 192.168.121.0 255.255.255.0 172.25.0.0 255.255.0.0
nat (inside,outside) source static Engineering-Network Engineering-Network destination static CA-Servers CA-Servers no-proxy-arp route-lookup
nat (inside,outside) source static Engineering-Voice Engineering-Voice destination static CA-Servers CA-Servers no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer <address hidden>
crypto map outside_map1 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map1 interface outside
crypto ikev1 enable outside
!
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
tunnel-group <hidden> type ipsec-l2l
tunnel-group <hidden> general-attributes
default-group-policy GroupPolicy1
tunnel-group <hidden> ipsec-attributes
ikev1 pre-shared-key <hidden>
Any advice would be great--I am really stuck here.
06-26-2013 11:25 PM
Suffering from the same issue, when using Cisco Anyconnect Secure Mobility Client vers. 3.1.02040...
Without AnyConnect Client loaded, average around 55 MBPS Connection Speeds; with AnyConnect Client loaded, max upload/download speed is 1-3 MBPS... Have tried everything but cannot figure out what issue is ...
06-26-2013 11:37 PM
I don't thing setting the external MTU is enough since IPSec also had an overhead. Can you set MSS to 1300 for TCP connections.
Michael
Please rate all helpful posts
06-27-2013 06:36 AM
Michael: when I set the mtu on the outside to 1380, performance was even worse.
Should I do something with the tcp mss?
06-27-2013 06:38 AM
When you set the outside MTU smaller, your packets also will be fragmented.
Leave the outside MTU as it is and set the TCP MSS to 1300.
Michael
Please rate all helpful posts
06-27-2013 07:03 AM
Actually, performance is about the same. When I run iperf.exe, I am getting 2.4mbs through the tunnel
I tried sysopt connection tcpmss 1380 (which is a default anyway), but it didn't make any difference.
06-27-2013 07:11 AM
Ok, and you measure with TCP test right? What happens to the ping responses during the test?
Michael
Please rate all helpful posts
06-27-2013 08:08 AM
I've tested from network to network, using packet sizes of 1300-1500.
Response times are typically 20-38ms across the board.
Not seeing any packet loss or problems with the tunnel.
06-27-2013 08:37 AM
try to modify tcp mss on ASA
sysopt connection tcp-mss 1300
Sent from Cisco Technical Support iPad App
06-27-2013 08:48 AM
well that helped a bit: I am getting 3.45mbs now on iPerf, but the connection to the Internet is 100mbs on one side and 44mbs on the other (DS3), so it is still really slow.
06-27-2013 09:05 AM
Sorry, I'm not from the US ... is the upload on a DS3 the same as download?
Michael
Please rate all helpful posts
06-27-2013 09:51 AM
Yes, the upload and download are the same
07-18-2013 11:08 AM
Well it looks like my performance problems are not confined to the VPN tunnel
Even after adjusting the tcp mss and mtu (to 1300), I am getting poor throughput.
In an effort to troubleshoot this, I connected my laptop intot he comcast router (it has an integrated switch) and ran iperf between an inside host (behind the ASA) and this machine. I got 1mbs throughput!
What is going on here? Is there something about iperf that gives strange results through an ASA?
Is there an issue with the ASA5515X model?
07-19-2013 07:26 AM
TCP iperf should run through an otherwise unloaded ASA at the lesser of the interface speed or the backplane speed, e.g. I can pump about 620 Mb/s through an ASA 5520 and about 940 Mb/s through an ASA 5525-x. I have enough trouble with OS stacks for UDP iperf that I don't have a good feel for what the ASA limits might be on that protocol.
I know you said there were no speed/duplex mismatches between the ASA and the switches, but triple check that; it sure acts like some kind of hardware problem. Bad cable, cable that won't stay fully seated, bad port, something.
-- Jim Leinweber, WI State Lab of Hygiene
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: