Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

rgeist554 · ‎10-21-2013

Hello,

I've got two sites connected to each other using Cisco ASA 5505's and an IP sec tunnel.

A little diagram of the setup:

[ASA 5505] --- 50Mb u/d pipe ---> [Internet] <----- 45Mb u/d pipe ---- [ASA5505]

[Hou] [Kat]

The throughput from Kat to the internet seems to be only about 1-3Mb/s u/d instead of 45Mb with the VPN tunnel active. Testing the connection outside of the tunnel results in full 45Mb u/d speeds.

I've also done some reading about adjusting the MTU outside value on the ASA's to be anywhere from 1350-1380. After making this change I notice no difference. If anything it makes the connection slower. I've also adjusted the tcp-mss values from anywhere between 1300 and 1380. Every tested value basically has the users saying that they cannot work at all.

If I run a "ping -f -l <size> <target>" across the tunnel, I get fragmentation errors all the way until I set the packet size to 1280 or lower. I'm afraid to set the MTU on the outside that small because I don't know what the reperucssions may be on the network.

What else should I be looking at so that we can get use of the full 45Mbs of the connection instead of functioning like we are on a T-1? Do I need to lower the MTU to the 1280 number? Change encyrption, etc.?

Configs available on request.

Jon Are Endrerud · ‎10-21-2013

AES is faster than 3DES, but i dont think thats your problem. What methods do you use to test your connection?

In my experience MTU problems are getting rare, but it might be a router on the way that sits with a small MTU. It shouldt be a problem to reduce it to test.

Are you seeing anything in the ASA logs?

Can you ping the remote peer IP outside the tunnel?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

rgeist554 · ‎10-21-2013

I'm not too sure about the logging because I'm still somewhat of a novice when it comes to the tunneling and ASA's in general.

I'm able to ping the public IP of the peer inside and outside the tunnel. The methods of testing was a using iperf.exe and speedtest.net (which I'm told is not reliable for these tests). Iperf.exe was only showing the following results over the course of the day:

0.54 Mb/s down - 3.03 Mb/s up

3.01 Mb/s down - 4.3 Mb/s up

1.76 Mb/s down - 2.73 Mb/s up

*edit* with iperf.exe I was testing to and from peers on opposite ends of the tunnel.

Jon Are Endrerud · ‎10-21-2013

Have you checked the sh interfaces to rule out duplex error on one of the ciscos?

Also can you use ftp transfer to check the speed?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

rgeist554 · ‎10-21-2013

Just to make sure I swapped all interfaces to be "speed 100" with "full duplex". The only uncontrolled variable is the ISP's router, but everything works at full speed if I take the VPN tunnel out of the equation.

As for the speed test:

FTP transfer speed varied between 115KB/s - 285KB/s with a 1GB file.

Not sure if this is impotant either, but about every 15-25 seconds I'll get a timeout if I run a constant 32B ping.

Jon Are Endrerud · ‎10-21-2013

What ASA firmwarw are you running on these devices?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

rgeist554 · ‎10-22-2013

Hou side is 7.2(4)

Kat side is running 8.2(5)

Jon Are Endrerud · ‎10-22-2013

Any chance you could move up in firmware. Latest is 9.1(3) I think.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

William Reed · ‎11-14-2013

Did you ever get this fixed?