Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3851
Views
0
Helpful
3
Replies

Slow VPN throughput to Palo Alto

baskervi
Level 1
Level 1

‎01-21-2020 04:14 PM

We have an ASA 5555 running asa992-smp-k8.bin with multiple VPN tunnels and a 1 Gbps connection to the Internet. We recently installed a new tunnel to a Palo Alto firewall - unsure of the make or model or version of firmware. Speed is abysmal - less than 1 Mbps generally. On the ASA, the CPU is idling around 1-2%, free memory 73%, and 5 minute average traffic rate is typically around 100 Mbps. There aren't any errors or event on tunnel debugging or in the logs, but I have no visibility into the other side. I'm also not finding anything on Google. Any ideas? Thanks

Labels:
0 Helpful
3 Replies 3

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-21-2020 06:51 PM

Hi,

 

i just checked the estimated performance of ASA5555 with IPSEC enabled based on the real world packet size of around 730B. As per results, ASA5555 should be able to work find at around 700 Mbps. At 750, it will reach approx 100% process utilization. So you need to check two things, first the model of the Palo Alto and it is expected real time throughput. If there is no issue with the platform throughput then check the physical medium between two, try to change the physical cables that are used at either side for connecting to ISP.

 

Find attached snapshot from the performance estimator

Preview file
70 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-21-2020 08:07 PM

This required more information, it's hard to say which side is the issue.

Steps to address this issue.

 

1.  Do you have good performance without Tunnel both the side, expected bandwidth throughputs

2. check the MTU Settings - tweak as per the vendor recommendations.

3. post both the side configuration to understand your encryption

4. what is Palo Alto version

 

good if you can also share a high-level diagram, how these device connected in the network

 

had some issue around some bugs around PAN 6.X OS (if you are using)

check some interoperability configs :

 

https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D8etAAC&field=Attachment_1__Body__s

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

baskervi
Level 1
Level 1
In response to balaji.bandi

‎01-23-2020 08:18 AM

Here are some additional details. The remote end is a Palo PA-5000 series firewall. Unsure of the firmware version, but I'll ask. We ran speed tests yesterday, and throughput is close to 1 Gbps bidirectionally so no performance issues there.

 

I configure a lot of VPNs, and this is a standard policy-based VPN connected externally to an Internet router running BGP. Nothing unusual here. The linked document on the Palo website shows a pretty standard configuration and is similar to the one I used - just different encryption and hashing. This problem is something unique to these hosts, as we have some other tunnels that perform as expected. The other end has a 700 Mbps link with quite a bit of free capacity, and they are not experiencing problems with the other links. 

 

We adjusted the MTU settings yesterday, but there wasn't a significant change to the performance. I think we're going to pursue checking out the firmware on both ends to see if that might help. We've also discussed setting up a route-based VPN.

 

Thanks for your inputs.

0 Helpful
Customers Also Viewed These Support Documents