Well this is driving me mental. I have a pair of 5508-X in an active/standby pair at the head-end (Site A) and a single 5506-X at a remote site (Site B). They have an IPsec VPN established (IKEv1,AES,SHA) and are passing traffic in both directions. The remote site has split-tunnelling configured too. The weird thing is that Site A > Site B throughput is 40Mbps but Site A < Site B throughput is only about 5Mbps. Has anyone come across a similar situation and have any suggestions?
Packet captures from the DMZ interface of the Site A ASA are attached. Headers only. I can see duplicate ACKs, fast retransmits, and out-of-order notifications which suggest packet loss... but why would I only be seeing packet loss in one path direction? 172.28.40.108 is in the DMZ of Site A. 172.16.12.237 is at Site B.
I've checked the switching and routing path from end-to-end... nothing's going wrong there.
Thanks for looking!