Showing results for 
Search instead for 
Did you mean: 

Site to Site slow applications



We have one office and one construction site. The construction site connects to the office through site to site VPN but the applications used on the construction site goes very slow!

There is a Cisco asa 5505 at the construction site and a Pix Version 6.3(5) at the office. The ISP line is 100Mbit fiber at both locations. Speedcheck shows 80 mbit/s at the construction site and when my constructors pings the local servers the response time is about 10 ms. There is only small amounts of data that is going through the tunnel.

Are there some limitations in the site to site software that is causing this? It is strange that it is so slow when speedcheck shows good result and ping shows good result.

Anyone got any ideas?

Regards Lajja


Cisco Employee
Cisco Employee

Hello Lajja,

Please compare encaps/decaps counters in "show crypto ipsec sa" on both ends to see if any packets on the way are being dropped. You can clear this counters before comparison to have good picture.

By slow performance what exactly do you mean? You are saying 80mbit/s in pure Internet, can you measure it through VPN?


By slow performance i mean that the database on the servers does timeout. Yes i can measure it throug the tunnel. I connect through the tunnel and then run the application on internet.

I am not sure that the problem is the tunnel, it might be a problem with the clients och the databases.

Yeah, that's what I would check if possible. Just run some FTP server on one side and try to download some file through it to see exact performance.

It would let us know if the problem is VPN or the database application.

You are saying that there is a delay about 10ms - for some databases it is already a lot. If the client is doing multiple queries it is more sensitive to delay rather then to throughput problems.

Another test would be to set-up static NAT and put this database application through Internet without VPN. Obviously it can be security issue, so it is up to you if this solution is possible.

After that tests the next step would be to do captures and analyze the data, but before that I would go with above basic tests.


This is very likely an MTU issue.  You can confirm this by reducing the tcp mss on the ASA and Pix.  If you can not do this because it is a global change, modify the MTU on the server itself to something like 1300 (linux it is ifconfig eth0 mtu 1300).  If PMTU is enabled, that will likely fix your issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: