PIX 501 Client VPN Slow!

jhaggett · ‎06-21-2004

Hi Everyone,

I'm stuck on a bit of a problem. I have a PIX 501 and the client VPN is extremely slow. I've tried it from different locations so I know it is probably at the pix or beyond it. I'm using the Cisco VPN Client 4.x and DES-MD5. I originally had 3DES enabled, and when I dropped it to DES there was no change.

Can anyone point me at some values in the monitoring that would show something abnormal?

After I connect the vpn, then try access a share, I have to wait a good 4-5 minutes before the share opens. I know the VPN throughput on a 501 is not that great, but, this is obviously unacceptable.

Any help would be greatly appreciated!

ehirsel · ‎06-22-2004

I would run a capture command on the 501 interface that leads into your network, filtering on the ip adress/subnet that the clients will pick up. This will tell you what traffic the pix is seeing as it forwards the packets in the clear.

Also examine the pix log messages. Did you see a lot of deny statements due to broadcast traffic? If so, maybe the wins/dns info and/or servers are misconfigured on the vpngroup statement.

One other item to check is how the 501 connects to the service provider? Are you using PPPoE or ADSL? If so the effective mtu is 1492 not 1500 bytes, so it could be a path mtu issue.