Showing results for 
Search instead for 
Did you mean: 

Sloooow VPN

VPN connection only able to hit a max of 1.7mbps

Using a 2811 with 512MB ram and AIM-SSL module connected to a 1841 with 256MB ram and AIM-VPN module

Both sites are able to transfer ~100mbps between the two but through VPN only ~1.7mbps


crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5


crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2


crypto isakmp policy 3

encr 3des

authentication pre-share

group 5

crypto isakmp key q###090909333 address no-xauth

crypto isakmp peer address



crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

crypto ipsec transform-set clients esp-aes 256 esp-sha-hmac

crypto ipsec transform-set default-3des esp-3des esp-sha-hmac

crypto ipsec transform-set default-comp esp-aes 256 esp-sha-hmac comp-lzs

crypto ipsec transform-set null esp-null esp-sha-hmac

crypto ipsec transform-set default-alt ah-sha-hmac esp-aes 256

crypto ipsec df-bit clear


crypto map crypto-map local-address Loopback104

crypto map crypto-map 10 ipsec-isakmp

set peer

set transform-set default

set pfs group5

match address VPN-1000250



interface Loopback104

ip address

ip nat inside

no ip virtual-reassembly

crypto map crypto-map


ip access-list extended VPN-1000250

permit ip

Is there any setting I can change to significantly increase the throughput?  These devices are ONLY used for VPN we have separate routers and firewalls.


Post output of

Show crypto isakmp sa


Show crypto IPSec sa

Sent from Cisco Technical Support iPad App

Show crypto isakmp sa


dst             src             state          conn-id slot status   QM_IDLE           2048    0 ACTIVE


Show crypto IPSec sa

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

   current_peer port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 54674464, #pkts encrypt: 54674464, #pkts digest: 54674464

    #pkts decaps: 129026472, #pkts decrypt: 129026472, #pkts verify: 129026472

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 12, #recv errors 1

     local crypto endpt.:, remote crypto endpt.:

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0xFFC2592F(4290926895)

     inbound esp sas:

      spi: 0xD7D78B06(3621227270)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 167, flow_id: AIM-VPN/BPII-PLUS:167, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4584891/1972)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xFFC2592F(4290926895)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 168, flow_id: AIM-VPN/BPII-PLUS:168, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4592040/1972)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I'll try it but I read the optimal was 1400 which we're using.

verify it using extended Ping with high mtu + DF bit on , just be sure about.

Check for any asymmetrical routing going on with packets using a different path for getting to VPN devices as you mentioned these are dedicated vpn devices.


Thanks that improved it to 2.28mbps but I'd prefer faster.

What config did Cisco use to test the 40mbps throughput they show is can handle at 1400?

did you adjusted MSS for TCP on both ends of tunnel ?

Also, I just saw what cisco is saying is that 1841 gives you 25-40 mbps for 1400 byte packets + internet mix traffic , so traffic in production is not what the sales pitch is normally ;-) .


Yes both ends are 1300.

Sorry for being a noob but:

Does imix really apply when these are only being used for p2p tunnel for certain subnets?

Also do I need to lower the mtu for the tunnel from 1500 to a lower number than the physical interface, currently 1300?


IMIX = internet mix traffic , I think they mean the traffic with which the device was tested was a mix of TCP , UDP etc protocols and not just one protocol but in addition they say + 1400 byte packets which  I don't understand why as general internet mix traffic random size as well.

you can  try the :-

tunnel path-mtu-discovery on the tunnel interfaces.


Anything else you see in my config that would limit the speed?

Not really for what being posted , but as I said please check for any asymmetrical routing when traffic is being pushed through the tunnel. You can also change the transform set from aes256 to 3des but that wouldn't make a big difference.


Recognize Your Peers
Content for Community-Ad