cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1803
Views
6
Helpful
4
Replies

VPN Testing Troubleshooting Peformance Issues

supertoaster2
Level 1
Level 1

Hi All,

I would lke to reference some material to trouble shoot speed performance of vpn remote, site-to-site or anyconnect vpn

So you can compare ftp on the outside interface to the throughput of a vpn.

Final aim to pin-point where the issues are from the firewall.

Troublshooting Comands

  • show...
  • show capture vpn1 type asp-drop
  • debug commands...
  • peformance data interface

What I DON'T want

  • An  overview of packet capture, tcp and  icmp responsess
  • ping
  • pathping
  • mtr
  • traceroute
  • And all other OS commands tools or applications

I want it on the ASA ...

Thank you

4 Replies 4

Hi,

You need to start a TCP connection like FTP out of any VPN connection and capture it. You could enable system logging for further information.

Then verify if the low performance issue still occurs. If so, check the captures and logs to see if the issue is related to TCP retransmissions, dropped packets etc... and verify the logs to confirm wether the ASA drops the packets or not.

Now, this is a simple check from the ASA's perspective and only for TCP packets, the ICMP test is required to verify if fragmentation is required and if you need to modify the TCP MSS, DF-BIT or MTU settings.

You could also compare both captures, one out of the VPN and another one across the VPN tunnel.

HTH.

Please rate any helpful posts

Portu.

Thank you

Not interested in icmp or tcp comparison captures only interested in show commands and debug commands.

Let me share more information, I hope you find it helpful

ASA Capture:

capture name interface specific_FW match specific_protocol Source_host/network Destination_host/network

show capture name

clear capture name

no capture name

Example:

capture capin interface inside match ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Where 192.168.1.0/24 is the LAN and 192.168.2.0/24 is a remote network.

ASP capture:

capture drop type asp-drop all

*all --> All packet drop reasons

ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example\

VPN debugging:

PHASE I:

debug crypto ikev1 [1-255]

debug crypto ikev2 [1-255]

PHASE II

debug crypto ipsec [1-255]

Logging:

logging buffered debugging

logging buffer-size [size]

show logging

ASA ASP drops:

show asp drop flow

show asp drop frame

HTH.

Please rate any helpful posts.


Thank  you this is more useful

I did put the asp-drop earlier

Commands

debug crypto conditon peer x.x.x.x

access-list vpn1 permit ip ....

Capture vpn1 access-list vpn1 type asp-drop all ...(tcp and other...)

I think the various asp-drops might give a clearer indication there is application issues.

We need the metrics on the crypto and debug commands (counters) to measure performance with Cisco Data Sheets..

Possible using interface or asp-drop or table...

But, the commands need to be specific for performance

Show commands with reasons...

But, I am more interested in debug timers, and details of counters that be used to measure performance metrics of the VPN