Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
2
Replies

Using NAT-T in ASA 5505 will cost you 5% performance hit? Why?

bbiandov
Level 1
Level 1

‎12-13-2018 06:17 PM

So I know this box is antient hence I had a pile of them and wanted to play with some performance testing one day in a lab. I was astonished to find out that on a site-to-site VPN configuration enabling NAT-T in ASA 5505 will cost you 5% performance hit? I mean what?

 

NAT-T is not necessary in most cases since the ASA would likely never sit behind another NAT device - in other words the outside interface in most sane deployments will be facing the public IP world but just for kicks I did many long iperf3 sessions (like hours on end) with and without Nat-T enabled and my conclusion is that I take 5.5% hit on performance across the VPN tunnel when it is enabled.

 

Interestingly the CPU usage is absolutely the same so there must be another explanation to this? Anyone out there with similar experience? What's your theory on causality? 

 

Thanks guys

~B

nat-t.png

Labels:
0 Helpful
2 Replies 2

erwindebrouwer
Level 1
Level 1

‎12-14-2018 01:14 AM

Hi bbiadov,

 

Interesting. First question that comes to mind is;

In your tests with NAT-T enabled, was the VPN tunnel actually using NAT-T? So in other words was ESP or UDP/4500 traffic seen over the wire?

 

When you were actually using NAT-T for the VPN at that time, we can expect less data to be transferred as headers are larger with NAT-T and with that may come fragmenting inefficiencies.

 

Please let me know your findings and what you think.

0 Helpful

bbiandov
Level 1
Level 1
In response to erwindebrouwer

‎12-14-2018 10:14 AM

Very good question and the answer is NO, NAT-T was actually not being used even though it was enabled. It was always NOT using it whether enabled or disabled. Ok now that's weird, then what would account for the performance hit? I can replicate it at will every time...

 

IKEv1 AES-256 Tunnel ID: 50.1
Authentication Mode: preSharedKeys
UDP Source Port 500
UDP Destination Port 500
Authentication Mode: preSharedKeys
UDP Source Port 500
UDP Destination Port 500
IKE Negotiation Mode: Main
Hashing: SHA1
Authentication Mode: preSharedKeys
UDP Source Port 500
UDP Destination Port 500
IKE Negotiation Mode: Main
Hashing: SHA1
Diffie-Hellman Group: 2
Rekey Time Interval: 86400 Seconds
Rekey Left(T): 27627 Seconds

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents