05-03-2013 02:42 PM - edited 02-21-2020 06:52 PM
We have many VPN tunnels back to our corporate office. All of these tunnels are very slow (same with our client VPN's). Our main firewall device at the corporate office is an ASA5510. We have a 100 Mb/sec Metro Ethernet internet connection here. We do not allow split-tunneling.
Our remote sites vary. We have DSL connections, cable internet connections, and other types of broadband that vary in speeds from 5 to 100 Mb/sec (up and down). The remote sites mostly have PIX 501's, but we have an ASA 5505 in one of the locations.
To take an example. On one of our remote sites that has a 100 Mb/sec connection, if I ping device to device, I'm getting ping times of about 50ms. And I'm pinging back through another 100 Mb/sec connection. If I get on a computer down there and run a speed test, I'm showing down speeds of about 1.5 Mb/sec... nowhere near 100. Some of that could be due to the lack of split tunneling, but I also suspect this could be an MTU issue. If anyone could help me figure it out, that would be great.
Right now, all my MTU's are just set to the default 1500. Perhaps this is too high. I used this site to check my max:
http://www.dslreports.com/faq/695
I did a few tests from behind several of my firewalls. I pinged from a machine on one side of the tunnel to the firewall on the other end. I'm assuming the max MTU I come up with is the max MTU for the firewall I'm behind while pinging, right? The max amounts I came up with for some of my devices were as follows:
Corporate ASA 5510 > 1272 (if you add the 28 byte packet header that would make it 1300)
Remote PIX 501 > 1416 (if you add the 28 byte packet header that would make it 1444)
Remote ASA 5505 > 1418 (if you add the 28 byte packet header that would make it 1446)
So, do I just need to set my MTU values to the appropriate amounts? I have tried changing the value, but I don't see any change in speed/performance. But I also don't know if I need to reboot the firewalls after changing the MTU. I know with Catalyst switches, you have to reload. But I didn't see any messages about needing to reboot on the ASA's/PIX's.
If anyone has some more info on it, I would greatly appreciate it. Or maybe this has nothing to do with MTU, and I'm barking up the wrong tree. I will be happy to post sanitized configs if anyone needs to see them.
Thanks
05-04-2013 02:32 PM
Hi Jake,
Please post sanitized configs
Please mention the upload and the download speeds of the terminating endpoints.
ASA5510
PIX501
ASA5505
Thanks and Regards,
ROHAN
05-07-2013 11:30 AM
Ok, for this example, I'll use 3 offices: Corporate and 2 remotes.
Corporate: ASA 5510. 100M down/100M up (Metro Ethernet)
Remote1: Cisco PIX 501 100M down/100M up (local broadband provider, not sure type)
Remote2: ASA 5505. 14M down/3M up (local broadband provider, not sure type)
And here are the configs. I heavily sanitized them, and pulled out items that shouldn't be relative. Let me know if some of these need to be included.
Corporate ASA 5510:
#####################################################
ASA Version 8.2(1)
!
hostname
domain-name
!
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address
!
interface Ethernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address
management-only
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging buffer-size 1000000
logging monitor debugging
logging buffered debugging
logging trap notifications
logging asdm informational
logging host Inside
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool
ip local pool
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Outside) 0 access-list NONAT
nat (Outside) 1
nat (Inside) 0 access-list NONAT
nat (Inside) 1
nat (Inside) 1
access-group outside-in in interface Outside
access-group inside-out in interface Inside
route Outside 0.0.0.0 0.0.0.0
route Inside
route Outside
route Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:00:00 h225 0:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ADLDAP protocol ldap
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set my-set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map companyvpn 10 set pfs group1
crypto dynamic-map companyvpn 10 set transform-set my-set
crypto dynamic-map companyvpn 10 set reverse-route
crypto map VPN 10 match address
crypto map VPN 10 set peer
crypto map VPN 10 set transform-set my-set
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
crypto map VPN 30 match address
crypto map VPN 30 set peer
crypto map VPN 30 set transform-set my-set
crypto map VPN 30 set security-association lifetime seconds 28800
crypto map VPN 30 set security-association lifetime kilobytes 4608000
crypto map VPN 65535 ipsec-isakmp dynamic companyvpn
crypto map VPN interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 120
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 15
console timeout 0
management-access Inside
dhcpd address
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface Outside classify-list botnet-exclude
ntp server
ntp server
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value
vpn-tunnel-protocol IPSec
default-domain value
group-policy companyvpn internal
group-policy companyvpn attributes
banner value
dns-server value
vpn-tunnel-protocol IPSec
group-lock value companyvpn
default-domain value
username
tunnel-group
tunnel-group
pre-shared-key *
tunnel-group companyvpn type remote-access
tunnel-group companyvpn general-attributes
address-pool
authentication-server-group ADLDAP LOCAL
authentication-server-group (Inside) ADLDAP
default-group-policy companyvpn
tunnel-group companyvpn ipsec-attributes
pre-shared-key *
tunnel-group
tunnel-group
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
class-map ips_class_map
match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
class ips_class_map
ips inline fail-open
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy botnet-policy interface Outside
prompt hostname context
#####################################################
Remote1 PIX 501 Config:
#####################################################
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn-acl permit ip
access-list nonat-acl permit ip
pager lines 24
logging on
logging trap debugging
logging host inside
mtu outside 1472
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat-acl
route outside 0.0.0.0 0.0.0.0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address vpn-acl
crypto map vpnmap 10 set peer
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
######################################
Remote 2 ASA 5505 Config:
######################################
ASA Version 7.2(3)
!
hostname
domain-name
enable
names
!
interface Vlan1
nameif inside
security-level 100
ip address
!
interface Vlan2
nameif outside
security-level 0
ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
dns server-group
domain-name
access-list nonat extended permit ip
access-list 101 extended permit ip
access-list from-internet extended permit icmp any any
pager lines 24
logging enable
logging monitor debugging
logging trap debugging
logging asdm informational
logging host inside
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group from-internet in interface outside
route outside 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:00:00 h225 0:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set my-set esp-3des esp-md5-hmac
crypto map mymap 20 match address 101
crypto map mymap 20 set peer
crypto map mymap 20 set transform-set my-set
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username
tunnel-group
tunnel-group
pre-shared-key *
prompt hostname context
01-03-2016 07:44 AM
@Jake Did you find the fix? I'm facing similar issues.