cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1478
Views
0
Helpful
4
Replies

Slow Point to Point VPN with ASA 5506-X

tfearson
Level 1
Level 1

We are operating a point to point vpn link between 2 sights of a corporate LAN.

Each sight has 75/15 mb cable Ethernet connection behind an ASA 5506-X.

Internet speeds are fine and near rated speeds at each location.

However, file access is very slow when getting files from the other sight over the vpn link.  When transferring large files it is slow to start and a little slow on transfer.  When doing multiple small files it slows to a crawl.

example of slowdown:

save to Microsoft onedrive = 45 seconds

save across vpn = 4 minutes

Questions:

1.  Is this possibly limited by the performance of the ASA 5506-X?  It is lightly loaded as far as users and the slowdown is there even when only 1 person transferring data.

2.  Could a change in settings on the ASA 5506-X improve performance?

3.  Is a faster ASA the answer?

Any thoughts or suggestions appreciated.

4 Replies 4

Michael Beck
Level 1
Level 1

The 5506X is a perfectly good device for the bandwidth you are dealing with.  You have a 75/15 so the maximum throughput you can ever expect on your VPN is 15 mbps.  Since you have a next gen firewall, one can expect you are using Sourcefire IPS.  Even with IPS inspection inpath your 5506X is capable of over 100 mbps throughput.

So you don't need a new ASA.

It would be interesting to look at the ping times between the host and server across the VPN and the ping times to the Microsoft Onedrive.  Are they significantly skewed?

RTT (round trip time) and TCP window size determine the max theoretical throughput between hosts in a TCP conversation. 

"It would be interesting to look at the ping times between the host and server across the VPN and the ping times to the Microsoft Onedrive.  Are they significantly skewed?"

ping to onedrive.live.com =

Ping statistics for 204.79.197.217:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 22ms, Average = 16ms

ping to server=

Ping statistics for 192.168.100.150:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 24ms, Maximum = 31ms, Average = 27ms

If this would be helpful:

C:\Users\tfearson.CURTISBAYENERGY\Downloads\PSTools>psping -b -l 4096 -n 1000 -h 50 192.168.100.150:80
PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Setting warmup count to match number of outstanding I/Os: 8
TCP bandwidth test connecting to 192.168.100.150:80: Connected
1008 iterations (8 warmup) sending 4096 bytes TCP bandwidth test: -1238715100%
TCP sender bandwidth statistics:
  Sent = 1000, Size = 4096, Total Bytes: 4124672,
  Minimum = 0.00 b/s, Maximum = 2.52 MB/s, Average = 2.03 MB/s

Well, the differences are not that large.  Onedrive is 10ms faster but even at 24ms RTT with a 64K TCP window size you should be capable of achieving in excess of your 15 mbps up link speed.

Note that PSPing shows a max throughput of 2.52 MB/s.  I'm reading that as MegaBytes so in the times that by 8 gives us around of 20 mbps per second.

That indicates that your VPN network is performing better than it should (you have a 15 mbps upload limit).

You could also set up an FTP server on one side of the link and a FTP client on the other.  Try an FTP get/put of a large file and see what the thoughput is on that file transfer...

So far it looks like the VPN network is performing well.

BTW, thanks for the pointer to PSPing (never seen that before).

I ran into a similar issue.

Check your logs and look for "Dropped UDP DNS reply". If you are seeing this between the two endpoints then have a look at your inspect maps, and set the DNS inspect to 1024.

http://www.802101.com/poor-asa-site-to-site-vpn-performance-it-could-be-dns/