12-17-2015 03:06 PM
Hello community.
i am getting poor performance over site to site vpn. below is the out put from ASA. One side of the vpn does not have any issues.
i have the following DF configration on ASA. Can anyone please share experience to resolve this issue.
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
IPSEC SA output.
#pkts encaps: 13851, #pkts encrypt: 13871, #pkts digest: 13871
#pkts decaps: 16195, #pkts decrypt: 16195, #pkts verify: 16195
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 13852, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 20, #pre-frag failures: 0, #fragments created: 40
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 14
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 65.156.244.58/0, remote crypto endpt.: 162.247.247.69/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 941D9C14
current inbound spi : 5E1A6393
Thanks a lot
12-17-2015 03:53 PM
Hi adnan,
Have you test any connection without the VPN ? Maybe doing a port forwarding on one of the end points ?
Most of the times the problem is associated with the link between the devices and not with the VPN itself.
Hope it helps
-Randy-
12-17-2015 04:25 PM
It's operational vpn, work fine just one side has issues with fragmentation.
I am thins to adjust TCP mss value but need some input from any experience people to share their experience to fix.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide