Re: Slow Speed in Ipsec Site to Site VPN Tunnel

NeWGuy1109 · ‎02-27-2020

I have created S2S Tunnel (IKEv2) between a CIsco ASA and a Palo Alto at the remote site... users are reporting slowness while accessing sites hosted at Data Center through the tunnel. Bandwidth and utilization at both locations is fine and that does not seem to be the issue. Can someone please suggest what could be the issue here.

Thanks

Rob Ingram · ‎02-27-2020

Hi,
Are you routing or natting over the tunnel?
Do you have an ACL to restrict traffic?....this could unintentially be blocking some traffic causing the slowness
Can you run a packet capture of some traffic and confirm the response time and if an errors or retransmissions.
Can you provide the output of "show crypto ipsec sa"

HTH

Sheraz.Salim · ‎02-27-2020

was this tunnel slow from day 1 or just recently it get slow? any changes made in your network or remote side?

which firewall is initiator and which firewall is responder? if you run a ping from one remote site to other what is the response time you get?

please do not forget to rate.

Cristian Matei · ‎02-27-2020

Hi,

If everything looks normal on both devices (load, link capacity), look at possibly MTU and pathMTU causing slowness. Check this document out and make necessary changes the ASA side, Palo Alto does the necessary changes to MSS/MTU by itself:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html

Check fragment drops on the ASA with "show fragments".

Regards,

Cristian Matei.

Sheraz.Salim · ‎02-28-2020

@Cristian Matei how are you? change the fragment path need on ikev2 or on the interface of the ASA? if changing the ASA MTU on the firewall it will not impact the other traffic which is going outbound toward internet?

please do not forget to rate.