slow performance thru site to site VPN (speed issue)

Unanswered Question
Aug 16th, 2009

I am having slow application performance thru a site to site VPN. I am running MS SQL and Oracle database applications thru the tunnel.


I have a 10 MB pipe from the ISP on both ends of the pipe. These are different ISPs. I have done speed tests and I am getting 10 MB up and down, just what we're paying for.


I have an ASA 5505 running the latest 8.x version on one side. This is 10 MB via fiber provided by Charter.


I have an ASA 5540 running version 7.2 on the other side.


There's a site to site VPN between the 2 locations using 3DES-SHA. I even tried 3DES-MD5 and DES-SHA but that didn't make any difference.


I looked at how much of the bandwidth I'm using and it's only using 3 MB of the 10 MB pipe. I am getting a ping response of 55 ms (average) during the day and 45 ms (average) after hours.


I tried a ftp transfer thru the site to site VPN tunnel and I'm getting pretty close to 10 MB.


I looked to see if I'm dropping any packets and it looks clean (no drops). I also checked with the ISPs and they're not seeing any dropped traffic either.


I'm also pushing VOIP traffic thru the VPN tunnel without a problem.


I have a case opened with Cisco but so far we haven't gotten anywhere.


Anybody have any ideas on how to improve the application performance?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Mon, 08/17/2009 - 06:32

Do you have SQLNET inspection configured on the ASAs in question? Please post the exact versions of code that you are running.

gflorescu@itech... Mon, 08/17/2009 - 07:26

I have tried SQLNET, didn't make any difference.


I'm running version 7.2.4 on one side and 8.2.1 on the other side.

anthony.baker@a... Tue, 08/18/2009 - 08:22

Hey mate,


It could be an MTU issue. I have had a lot of problems with this over VPN. The overheads of IP-Sec mean the FW has to fragment the packets to fit them down the tunnel and this slows things up - the thing is that from my experience it's not very obvious that it's happening!


The easiest way to find out would be to adjust the MTU of the Oracle machine and see if that makes any difference. It's not an exact science it would seem so setting it to 1440 was pretty successful for me and might be good for you.


If that works there are things you can then try to get the servers to work this out on their own but again, it doesn't seem to be particularly easy and doesn't always seem to work!


Hope that helps!


Anthony

Actions

This Discussion