Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
2
Helpful
13
Replies

Latency over IPSEC

AirSail
Level 1
Level 1

‎02-18-2025 05:16 PM

Hello Folks, 

running into a crazy issue here, I have a firewall cluster in Taiwan (remote)---> IPSEC VPN ---> Firewall cluster in UsA(HQ),  

the main usage of that VPN is to have all agents roughly 500 users access a Citrix portal, 

80% of the day things are normal, average latency 220ms which is normal due to geo distance/endcap decap...etc. 

but at some point, the latency goes up to 500ms for about a  few min, which results from a production drop as everyone needs to re-login, 

spent weeks on that issue, I did a lot of optimization, and got TAC engaged, but I still from time to time we run into latency issue, 

any one with the same story? any recommendation? what to capture if the issue happens? 

 

Labels:
0 Helpful
13 Replies 13

Rob Ingram
VIP
VIP

‎02-18-2025 11:06 PM

@AirSail what is the Firewall cluster, ASA or FTD?

What version of software are the firewalls running? - perhaps a bug for your specific version?

When the latency occurs, does the firewall hardware CPU/Memory spike?

Are you monitoring the firewall via an NMS so you can see if there is any issues around the time there is latency?

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-19-2025 12:10 AM

Have you log ticket to your WAN/Internet provider? worth checking if latency is from there end during the day. Do you have Netflow configured in your network?

Does this happen specific time day? when this issue occurs you need to take the statistics of the router/firewall. you have not mentioned what appliances you running. Need more information.

please do not forget to rate.
0 Helpful

AirSail
Level 1
Level 1
In response to Sheraz.Salim

‎02-19-2025 05:16 AM

I had many tickets with the ISP, as the issue is random, they just don't say anything useful, or they ask most of the time for trace.   for the NetFlow nop, I don't have one, but I'm thinking of it. 

good question about the timing, I would say yes, quite repetitive when all the users log in at the same time and start pulling applications from Citrix portal, - I worked with TAC they said the firewall hits 60% at peak time and that won't harm at all, the hardware is FPR2130, 

 

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to AirSail

‎02-19-2025 05:30 AM

Have look at this document either you run FTD code or ASA code it shall put you in some right direction Here 

some of the command you can take the output are "show conn", "show process cpu non-zero" and show threat-detection statistics host", "show asp drops"

please do not forget to rate.

MHM Cisco World
VIP
VIP

‎02-19-2025 12:37 AM

For recommendations try use PMTU in ipsec vpn, it can the path in ISP core is change and hence mtu is change. 

Try use PMTU or reduce mtu to low value

MHM

AirSail
Level 1
Level 1
In response to MHM Cisco World

‎02-19-2025 09:58 AM

Hello @MHM Cisco World  - I checked show crypto ipsec sa and I see MTU 15000 that seems to be set to default, 

what is PMTU? what is that "P"   - any recommended MTU size to put that can't affect webapplication such as Citrix ? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to AirSail

‎02-19-2025 10:11 AM

PMTU is path MTU' it way FW use to detect mtu in path 

For mtu value use 1400.

MHM

0 Helpful

AirSail
Level 1
Level 1
In response to MHM Cisco World

‎02-20-2025 11:02 PM

Sounds good I'll put an MTU of 1400, 

and for PMTU, is there something specific to configure for it? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to AirSail

‎02-21-2025 01:06 AM

You can enable it from vpn topolgy

Advanced > IPsec > IPsec Settings

Enable Fragmentation Before Encryption
This option lets traffic travel across NAT devices that do not support IP fragmentation. It does not impede the operation of NAT devices that do support IP fragmentation.
Path Maximum Transmission Unit Aging
Check to enable PMTU (Path Maximum Transmission Unit) Aging, the interval to Reset PMTU of an SA (Security Association)
Value Reset Interval
Enter the number of minutes at which the PMTU value of an SA (Security Association) is reset to its original value. Valid range is 10 to 30 minutes, default is unlimited.

MHM

0 Helpful

AirSail
Level 1
Level 1
In response to MHM Cisco World

‎03-05-2025 01:52 PM

Hello MHM and team, 

I'm still spending the day looking at different parameters and logs, and I started capturing, and I captured many logs such as: 

[https 443] drop rate-1 exceeded. current burst rate is 8 per second max ....

and other logs showing [port range] or [scanning] .... 

i did further research and it sounds this has something to do with Thread-detection, 

looking at some commands "show threat-detection statistics host | b myCitrixserver" the numbers are huge  comparing to other entries showing on that long output

AirSail_0-1741211396023.png

Thread-detection could affect/drop traffic going to Citrixserver? 

is there any specific command to put an exception for a specific IP to not be proceeded by thread detection? 

thanks a lot !

 

0 Helpful

AirSail
Level 1
Level 1

‎03-10-2025 03:03 PM

Anyone with further updates ? 

0 Helpful

AirSail
Level 1
Level 1

‎03-14-2025 02:57 PM

@HMHMHM @Rob Ingram @Sheraz.Salim  - any feedback regarding the latesting reply I posted, do you think Thread-detection engine could lead to similar behavior ?

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to AirSail

‎03-17-2025 02:11 AM

@AirSailYou can configure it and test this it might work for you.if this does not work try to upgrade the software on your firewall.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents