Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2368
Views
0
Helpful
3
Replies

IPSec VPN - Slow connection in Router 2801

Alcides Miguel
Level 1
Level 1

‎01-06-2011 02:58 PM - edited ‎02-21-2020 05:04 PM

Hello!

i've setup a remote IPSec vpn on cisco router 2801 i can connect, traffic flow. But i get very slow connection.

my router connection is 2Mb and my client is using a GPRS(GSM Card) connection. it take about 3 Min. to

open a excel file.

Ping:

A fazer ping para srv-files.DOMAIN.local [10.X0.X.4] com 32 bytes de dados:

Resposta de 10.X0.X.4: bytes=32 tempo=577ms TTL=126

Resposta de 10.X0.X.4: bytes=32 tempo=605ms TTL=126

Resposta de 10.X0.X.4: bytes=32 tempo=613ms TTL=126

Resposta de 10.X0.X.4: bytes=32 tempo=622ms TTL=126

Estatísticas de ping para 10.X0.X.4:

    Pacotes: Enviados = 4, Recebidos = 4,

             Perdidos = 0 (perda: 0%),

Tempo aproximado de ida e volta em milissegundos:

    Mínimo = 577ms, Máximo = 622ms, Média = 604ms

ISAKMP POLICY:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group REMOTE-IT-GROUP

key r3m0teacc3ss

dns 10.X0.X.2 10.X0.X.1

domain DOMAIN.local

pool LOCAL-POOL

acl ACL

!

crypto isakmp profile ISAPROFILES

   match identity group VPN

   client authentication list VPN

   isakmp authorization list VPN

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

crypto ipsec profile IPSECPROFILE

set transform-set ESP-AES-SHA

set isakmp-profile ISAPROFILES

INTERFACE:

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/1

zone-member security outside

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSECPROFILE

there is some thing wrong in IPSec config that is making my connection slow or can i do some trips 'n triks to burst my VPN speed?

PLEASE HELP

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-06-2011 03:12 PM

Hi Alcides,

500 ms if A LOT of delay.

What delay do you get when ping'ing public IP address from your GRPS connection without the VPN?

Let's see if the delay comes from GPRS or from VPN. If from GPRS - there's not much you can do from VPN's point of view.

Configuration-wise ... check if you have CEF enabled and if anything would chanfe if no ZBF was in place.

Marcin

0 Helpful

Alcides Miguel
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-07-2011 01:28 AM

Hi, Marcin

Thanks for your fast response.

>ping 8.8.8.8

A fazer ping para 8.8.8.8 com 32 bytes de dados:

Resposta de 8.8.8.8: bytes=32 tempo=479ms TTL=57

Resposta de 8.8.8.8: bytes=32 tempo=498ms TTL=57

Resposta de 8.8.8.8: bytes=32 tempo=457ms TTL=57

Resposta de 8.8.8.8: bytes=32 tempo=417ms TTL=57

Estatísticas de ping para 8.8.8.8:

    Pacotes: Enviados = 4, Recebidos = 4,

             Perdidos = 0 (perda: 0%),

Tempo aproximado de ida e volta em milissegundos:

    Mínimo = 417ms, Máximo = 498ms, Média = 462ms

MY Router Gateway

>ping 66.110.123.81

A fazer ping para 66.110.123.81 com 32 bytes de dados:

Resposta de 66.110.123.81: bytes=32 tempo=487ms TTL=247

Resposta de 66.110.123.81: bytes=32 tempo=483ms TTL=247

Resposta de 66.110.123.81: bytes=32 tempo=521ms TTL=247

Resposta de 66.110.123.81: bytes=32 tempo=480ms TTL=247

Estatísticas de ping para 66.110.123.81:

    Pacotes: Enviados = 4, Recebidos = 4,

             Perdidos = 0 (perda: 0%),

Tempo aproximado de ida e volta em milissegundos:

    Mínimo = 480ms, Máximo = 521ms, Média = 492ms

IP CEF = OK

i did not removing ZBF yet, but you think that this is the deal?

what about if i want some firewall functions to inspect traffic crossing the tunnel, and can i stop virus, worms, etc on tunnel traffic?

as you can see is my first time configuring Remote VPN  on 2801, so can you tell me what's the bandwith recommended for IPSec Remote VPN on 2801?

best regards

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Alcides Miguel

‎01-07-2011 01:35 AM

Alcides,

With basic latency like this (~500ms) don't expect a very good throughput through a tunnel.

The problem in this particular case will be client side not on router side. 0.5s is forever in computer time. Imagine waiting every time 0.5 second for an ACK for 64k of data (no window scaling, no SACK).

Also, there is no particular bandwidth recommendation for IPsec VPN (or SSL, or any other) it will all depend on type and volume of traffic you're sending.

There might be something on router side, but the effect of any change of router will be marginal for this client with such high latency.

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents