ā01-21-2020 04:14 PM
We have an ASA 5555 running asa992-smp-k8.bin with multiple VPN tunnels and a 1 Gbps connection to the Internet. We recently installed a new tunnel to a Palo Alto firewall - unsure of the make or model or version of firmware. Speed is abysmal - less than 1 Mbps generally. On the ASA, the CPU is idling around 1-2%, free memory 73%, and 5 minute average traffic rate is typically around 100 Mbps. There aren't any errors or event on tunnel debugging or in the logs, but I have no visibility into the other side. I'm also not finding anything on Google. Any ideas? Thanks
ā01-21-2020 06:51 PM
Hi,
i just checked the estimated performance of ASA5555 with IPSEC enabled based on the real world packet size of around 730B. As per results, ASA5555 should be able to work find at around 700 Mbps. At 750, it will reach approx 100% process utilization. So you need to check two things, first the model of the Palo Alto and it is expected real time throughput. If there is no issue with the platform throughput then check the physical medium between two, try to change the physical cables that are used at either side for connecting to ISP.
Find attached snapshot from the performance estimator
ā01-21-2020 08:07 PM
This required more information, it's hard to say which side is the issue.
Steps to address this issue.
1. Do you have good performance without Tunnel both the side, expected bandwidth throughputs
2. check the MTU Settings - tweak as per the vendor recommendations.
3. post both the side configuration to understand your encryption
4. what is Palo Alto version
good if you can also share a high-level diagram, how these device connected in the network
had some issue around some bugs around PAN 6.X OS (if you are using)
check some interoperability configs :
ā01-23-2020 08:18 AM
Here are some additional details. The remote end is a Palo PA-5000 series firewall. Unsure of the firmware version, but I'll ask. We ran speed tests yesterday, and throughput is close to 1 Gbps bidirectionally so no performance issues there.
I configure a lot of VPNs, and this is a standard policy-based VPN connected externally to an Internet router running BGP. Nothing unusual here. The linked document on the Palo website shows a pretty standard configuration and is similar to the one I used - just different encryption and hashing. This problem is something unique to these hosts, as we have some other tunnels that perform as expected. The other end has a 700 Mbps link with quite a bit of free capacity, and they are not experiencing problems with the other links.
We adjusted the MTU settings yesterday, but there wasn't a significant change to the performance. I think we're going to pursue checking out the firmware on both ends to see if that might help. We've also discussed setting up a route-based VPN.
Thanks for your inputs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide