This is frequently an MTU

noisey_uk · ‎03-23-2017

Well this is driving me mental. I have a pair of 5508-X in an active/standby pair at the head-end (Site A) and a single 5506-X at a remote site (Site B). They have an IPsec VPN established (IKEv1,AES,SHA) and are passing traffic in both directions. The remote site has split-tunnelling configured too. The weird thing is that Site A > Site B throughput is 40Mbps but Site A < Site B throughput is only about 5Mbps. Has anyone come across a similar situation and have any suggestions?

Packet captures from the DMZ interface of the Site A ASA are attached. Headers only. I can see duplicate ACKs, fast retransmits, and out-of-order notifications which suggest packet loss... but why would I only be seeing packet loss in one path direction? 172.28.40.108 is in the DMZ of Site A. 172.16.12.237 is at Site B.

I've checked the switching and routing path from end-to-end... nothing's going wrong there.

Thanks for looking!

Philip D'Ath · ‎03-23-2017

This is frequently an MTU issue. Often caused by one end using PPPoE and the other end not. try something like this:

sysopt connection tcpmss 1300

noisey_uk · ‎03-23-2017

It's Ethernet handoff from the ISP at both ends. We tried adjusting this previously however, just in case... unfortunately no change.

Philip D'Ath · ‎03-23-2017

It could also be a mis-matched speed/duplex setting on an interface. I would check all of those, after trying the MSS adjustment I have suggested.

noisey_uk · ‎03-23-2017

Speed and duplex are auto everywhere and interface counters don't show any drops or errors which would indicate these as the issue

Slow traffic in one direction across LAN-to-LAN IPsec VPN