07-09-2019 07:26 AM - edited 02-21-2020 09:41 PM
Hi
I´ve setup a L2L tunnel between a frp2140 (running ftd) and a frp2120 (running asa).
internet speed on site frp2140 = 2Gb
internet speed on site frp2120 = 1Gb
Trafic on frp2140 is fastpath in prefilter policy
cisco ipsec vpn performance numbers:
2140 ~ 3.2Gb (ftd) - i´m running 6.2.3.13
2120 ~ 700Mb (asa) - i´m running 9.6
But when i test with iperf (udp 450b packets size with 20 treads) through tunnel i get max 300 Mb....WHY...
2140 - testing iperf towards internet (not through vpn tunnel) i get 1-1,5 Gb (trafic is fastpath)
2120 - testing iperf towards internet (not through vpn tunnel) i get 900Mb
Any ideas why my performance is so degraded ?
/Henrik
Solved! Go to Solution.
07-10-2019 03:42 AM
Hi
thanks for you reply.
I don´t quite understand how splitting SA´s will help server-to-server traffic..
/Henrik
07-09-2019 09:14 AM
It all depends on how you testing other suggestion is check with iperf tool see what you can see site to site speeds.
Check the Tunnerl MTU Settings, and see if you can tweak- again we need to know how the traffic intercepting in the FW.
07-10-2019 03:38 AM
hi
thanks for you reply.
Where do i change the tunnel MTU - we are running asa/ftd ?
07-09-2019 10:30 AM
Are you using a single SA for the tunnel? I believe there are some limitations on how much data you can send via a single tunnel SA. Try splitting it up into 10 different SA's and send a combined throughput of 1Gbps through all the tunnels.
Also, the ASA OS balances the crypto accelerator resources between IPsec and SSL. So if you want to test IPsec max performance, you will have to set the bias towards IPsec:
crypto engine accelerator-bias ipsec
This command needs to be applied via Flexconfig.
07-10-2019 03:42 AM
Hi
thanks for you reply.
I don´t quite understand how splitting SA´s will help server-to-server traffic..
/Henrik
07-11-2019 01:51 AM
Hi All
i found out that the firepower 2100 series can perform between 200 ~ 300 Mb pr. SA - so splitting up SA is the solution.
Working as designed :-(
/Henrik
02-22-2020 12:51 PM
02-22-2020 01:02 PM
In your ACL defining the VPN interesting traffic, if you have a network such as 192.168.8.0/22 you could split that up in to 2 x /23 or 4 x /24 networks, thus when a VPN is established this will create multiple SAs.
HTH
08-20-2020 05:39 AM
Can someone please share the documentation on the Cisco 2100 FTD series only being able to perform between 200 ~ 300 Mb per. SA ?
12-22-2020 08:32 AM
Hi, can you please publish where you found it out ??? Links please
12-24-2020 07:15 AM
See:
IPSec bandwith Limitations Firepower 2140
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide