Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
4
Replies

Site to Site slow applications

Lajja1234
Level 1
Level 1

‎11-13-2012 05:45 AM

Hi!

We have one office and one construction site. The construction site connects to the office through site to site VPN but the applications used on the construction site goes very slow!

There is a Cisco asa 5505 at the construction site and a Pix Version 6.3(5) at the office. The ISP line is 100Mbit fiber at both locations. Speedcheck shows 80 mbit/s at the construction site and when my constructors pings the local servers the response time is about 10 ms. There is only small amounts of data that is going through the tunnel.

Are there some limitations in the site to site software that is causing this? It is strange that it is so slow when speedcheck shows good result and ping shows good result.

Anyone got any ideas?

Regards Lajja

Labels:
0 Helpful
4 Replies 4

pkupisie
Cisco Employee
Cisco Employee

‎11-13-2012 06:07 AM

Hello Lajja,

Please compare encaps/decaps counters in "show crypto ipsec sa" on both ends to see if any packets on the way are being dropped. You can clear this counters before comparison to have good picture.

By slow performance what exactly do you mean? You are saying 80mbit/s in pure Internet, can you measure it through VPN?

0 Helpful

Lajja1234
Level 1
Level 1
In response to pkupisie

‎11-13-2012 06:14 AM

Hi!

By slow performance i mean that the database on the servers does timeout. Yes i can measure it throug the tunnel. I connect through the tunnel and then run the application on internet.

I am not sure that the problem is the tunnel, it might be a problem with the clients och the databases.

0 Helpful

pkupisie
Cisco Employee
Cisco Employee
In response to Lajja1234

‎11-13-2012 06:31 AM

Yeah, that's what I would check if possible. Just run some FTP server on one side and try to download some file through it to see exact performance.

It would let us know if the problem is VPN or the database application.

You are saying that there is a delay about 10ms - for some databases it is already a lot. If the client is doing multiple queries it is more sensitive to delay rather then to throughput problems.

Another test would be to set-up static NAT and put this database application through Internet without VPN. Obviously it can be security issue, so it is up to you if this solution is possible.

After that tests the next step would be to do captures and analyze the data, but before that I would go with above basic tests.

Cheers!

0 Helpful

david.tran
Level 4
Level 4
In response to pkupisie

‎11-13-2012 06:28 PM

This is very likely an MTU issue.  You can confirm this by reducing the tcp mss on the ASA and Pix.  If you can not do this because it is a global change, modify the MTU on the server itself to something like 1300 (linux it is ifconfig eth0 mtu 1300).  If PMTU is enabled, that will likely fix your issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents