Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1943
Views
0
Helpful
2
Replies

ASA5510 to ASA5505 Slow Performance over Tunnel

neilhall
Level 1
Level 1

‎03-05-2008 01:29 PM - edited ‎02-21-2020 01:55 AM

We have a VPN Tunnel established between a ASA5510 at our home office and a ASA5505 at a remote office.

The tunnel is working properly, however the performance across the IPSEC tunnel is very poor. The tunnel is setup so that the remote 5505 sends 100% of it's traffic back to the home office 5510 (including regular Internet traffic).

The strange part of this problem is that on the remote 5505 side we can easily get 4.5 Mbps downloads from the Internet, yet we can barely break 1 Mbps when talking to internal devices on the other side of the home office 5510.

So to summarize...

ALL traffic from the 5505 goes over the IPSEC tunnel which terminates on a 5510. The 5510 serves as the VPN endpoint as well as the Internet Firewall. When users on the 5505 side surf the Internet (which ultimately goes out the 5510), it is fast, while users on the 5505 side that are accessing resoures on the network that is on the other side of the 5510 are slow.

Why would all internal tunneled traffic be slow, while all Internet traffic (also tunneled) be fast?

We have analyized each leg of the connection and everything in between seems to have proper performance, and we have also experimented with the fragmentation settings with no success.

Thanks for any advice.

0 Helpful
2 Replies 2

amritpatek
Level 6
Level 6

‎03-11-2008 01:33 PM

Clear the existing tunnels and check if any policy is applied to the traffic. Following link may help you

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful

neilhall
Level 1
Level 1

‎03-12-2008 05:43 AM

I believe we have resolved this issue. It appears that the ASA 5505 was not properly auto negotiating with the Cisco 3550 switch that it was connected to. There also appears to be a similar auto negotiation problem with various brands of cable modems as well. When we set the 5505's outside interface port to 10 Mbps / Full Duplex (according to the ISP, the 3550 was statically set to 10 Full), we then began receiving the throughput we expected to see.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card