11-26-2012 03:31 AM
Hi All,
I would lke to reference some material to trouble shoot speed performance of vpn remote, site-to-site or anyconnect vpn
So you can compare ftp on the outside interface to the throughput of a vpn.
Final aim to pin-point where the issues are from the firewall.
Troublshooting Comands
What I DON'T want
I want it on the ASA ...
Thank you
11-26-2012 06:57 AM
Hi,
You need to start a TCP connection like FTP out of any VPN connection and capture it. You could enable system logging for further information.
Then verify if the low performance issue still occurs. If so, check the captures and logs to see if the issue is related to TCP retransmissions, dropped packets etc... and verify the logs to confirm wether the ASA drops the packets or not.
Now, this is a simple check from the ASA's perspective and only for TCP packets, the ICMP test is required to verify if fragmentation is required and if you need to modify the TCP MSS, DF-BIT or MTU settings.
You could also compare both captures, one out of the VPN and another one across the VPN tunnel.
HTH.
Please rate any helpful posts
Portu.
11-26-2012 07:21 AM
Thank you
Not interested in icmp or tcp comparison captures only interested in show commands and debug commands.
11-26-2012 08:07 AM
Let me share more information, I hope you find it helpful
ASA Capture:
capture name interface specific_FW match specific_protocol Source_host/network Destination_host/network
show capture name
clear capture name
no capture name
Example:
capture capin interface inside match ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Where 192.168.1.0/24 is the LAN and 192.168.2.0/24 is a remote network.
ASP capture:
capture drop type asp-drop all
*all --> All packet drop reasons
ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example\
VPN debugging:
PHASE I:
debug crypto ikev1 [1-255]
debug crypto ikev2 [1-255]
PHASE II
debug crypto ipsec [1-255]
Logging:
logging buffered debugging
logging buffer-size [size]
show logging
ASA ASP drops:
show asp drop flow
show asp drop frame
HTH.
Please rate any helpful posts.
11-26-2012 10:00 AM
Thank you this is more useful
I did put the asp-drop earlier
Commands
debug crypto conditon peer x.x.x.x
access-list vpn1 permit ip ....
Capture vpn1 access-list vpn1 type asp-drop all ...(tcp and other...)
I think the various asp-drops might give a clearer indication there is application issues.
We need the metrics on the crypto and debug commands (counters) to measure performance with Cisco Data Sheets..
Possible using interface or asp-drop or table...
But, the commands need to be specific for performance
Show commands with reasons...
But, I am more interested in debug timers, and details of counters that be used to measure performance metrics of the VPN
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide