cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2488
Views
0
Helpful
2
Replies

Improve VPN tunnel performance

xtech
Beginner
Beginner

We have a customer with two sites using ASA 5505's to link them together.  They have a 60mb down, 12mb up connection with Comcast at both sites.  Their VPN tunnel maxes out around 500kbps.  I am looking for ways to try and improve the speed through the tunnel.  I am still fairly new at configuring ASA's and do not know exactly where to start trying to diagnose.  Any ideas would be greatly appreciated.

2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

You might want to tweak MSS/MTU size on the ASAs and clear df-bit on the outside interface of the ASAs as this will allow the packets to be fragmented rather dropped.


Here is a doc to get you started:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html

Start off with ping test, as defined in "VPN Encryption Error" section of this document.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi xtech,

No issues we will be glad to assist you.

May I know if this issue is a new one or just started.

Sh cry isa sa det

Sh cry ipsec sa peer <remote peer <remote public IP> detail>

Sh asp drop //** with continuous traffic on collect this multiple time with interval of 5 seconds.

Collect simultaneous captures on both end inside for an application access which is experiencing slowness issue:

-set up capture on ASA:

Cap capin int <interface where inside server is reachable> match ip host <local inside host> host <remote host>

Cap drop type asp-drop all

Also you can check these documents for troubleshooting these issues:


PIX/ASA 7.x and IOS: VPN Fragmentation

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html

Decrease the MSS to 1300 as discussed

sysopt connection tcpmss # - the default is 1380

In the ASDM

TCP Maximum Segment Size Overview

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/interface-basic.html#pgfId-1887070

Don't Fragment through ASDM

Edit IPsec Pre-Fragmentation Policy

Configuration > VPN > IPsec > Pre-Fragmentation

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_ike.html#pgfId-1006499

Regards,

Aditya

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers