cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
0
Helpful
4
Replies

Slow traffic in one direction across LAN-to-LAN IPsec VPN

noisey_uk
Level 1
Level 1

Well this is driving me mental. I have a pair of 5508-X in an active/standby pair at the head-end (Site A) and a single 5506-X at a remote site (Site B). They have an IPsec VPN established (IKEv1,AES,SHA) and are passing traffic in both directions. The remote site has split-tunnelling configured too. The weird thing is that Site A > Site B throughput is 40Mbps but Site A < Site B throughput is only about 5Mbps. Has anyone come across a similar situation and have any suggestions?

Packet captures from the DMZ interface of the Site A ASA are attached. Headers only. I can see duplicate ACKs, fast retransmits, and out-of-order notifications which suggest packet loss... but why would I only be seeing packet loss in one path direction? 172.28.40.108 is in the DMZ of Site A. 172.16.12.237 is at Site B.

I've checked the switching and routing path from end-to-end... nothing's going wrong there.

Thanks for looking!

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

This is frequently an MTU issue. Often caused by one end using PPPoE and the other end not.  try something like this:

sysopt connection tcpmss 1300

It's Ethernet handoff from the ISP at both ends. We tried adjusting this previously however, just in case... unfortunately no change.

Philip D'Ath
VIP Alumni
VIP Alumni

It could also be a mis-matched speed/duplex setting on an interface.  I would check all of those, after trying the MSS adjustment I have suggested.

Speed and duplex are auto everywhere and interface counters don't show any drops or errors which would indicate these as the issue