SA520 to SA520W VPN High Latency, Dropping Packets

Unanswered Question
Feb 24th, 2010
User Badges:

We recently put a SA520 at a data center and a SA520W at an office and created an IPSEC VPN tunnel between the two. We then added a configuration for remote users using the QuickVPN client (very unhappy no 64 bit or Win 7 support).

Now that we've begun testing we've observed that as soon as anyone uses the VPN tunnel, the latency jumps from 12-16ms to 120-240ms and stays there for about 15-30 seconds.

Once we observed that, we started doing ping tests from the outside. For some reason both routers drop nearly all the ping requests and actually respond about 1 in every 50 pings. I've ensured that all the firewall items are turned off and that fact that it will respond every now and then tells me something is up.

I then tested using a VNC connection behind the device at the data center. The connection stays open until about 3-7 minutes in and the connection drops or hangs while it tries to refresh (dropped packets). I have no issues with any other routers or equipments on the same subnet, in the same rack. I'd blame one router being bad if it wasn't for the fact that I see the issue on both routers, at two different sites, on two different ISPs.

I've called the small business support line and they have no idea what to troubleshoot other than maybe changing the MTU settings. They've escalated the issue to a team in California but apparently escalation only means someone else will contact me within 48 hours (seriously?!?!?!).

As I'm at wits end, that's why I'm trying all options such as posting here. Anyone else observed similar behaviour?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven DiStefano Wed, 02/24/2010 - 11:04
User Badges:
  • Blue, 1500 points or more
The New Quick VPN  client version has been posted to the Cisco Software  Center.
Support for Windows  Vista and Windows 7 (32-bit and 64-bit) is available in this  release.
Users can download  the new client software by creating a CCO  account on
The Free and  Anonymous downloads will be available in the next few days.
blueccarthur Wed, 02/24/2010 - 11:12
User Badges:


Glad to see that just got released today.

Any feedback or thoughts on the other issues I stated? If we have to wait 48 hours to begin escalation troubleshooting we might have to just return these and go with another vendor for our customer. Don't get me wrong, I love Cisco but I don't think this is much to ask of two simple VPN routers.

skalahas Wed, 02/24/2010 - 11:16
User Badges:
  • Cisco Employee,

can you send us the configs of both SA520 and SA520W? Also, what version of firmware are you using?

Steven Smith Wed, 02/24/2010 - 11:17
User Badges:
  • Gold, 750 points or more


Check your PM.  I would like you to send me the configurations that you have.

I am also interested in getting some more information about the topology, the amount of users on it, and how those users connect.

matthew.bouchard Mon, 03/01/2010 - 11:39
User Badges:

Hello,  Have you had any luck correcting this issue? I recently purchased two SA520W's and setup a VPN between our two offices. I am having the exact same issues as you are and have spent hours on the phone with support but we have yet to figure anything out. If you have a resolution please let me know and if I get anywhere with their support who is currently reviewing packet captures I sent the, I will do the same.  Thanks!!

blueccarthur Mon, 03/01/2010 - 12:15
User Badges:


The folks at Cisco have confirmed this is a problem with the software on the routers. I won't go into details but the only way to rectify while they're working on a fix is to completely delete all VPN configuration and then punch holes in the firewall.

We had to do this for a new client we just put these in for. They are less than thrilled. If the firewall hole punching wasn't an option we would have had to return these. We still might and just go with the 881s.

Funny enough, it took 1 week for the escalation team to contact me after the basic techs didn't know what was happening. All the escalation team did was send me an email asking me to call them. This is even though I requested they call my cell ASAP. The process has been quite a let down. I don't like feeling like my clients and I are beta testers.

blueccarthur Thu, 05/06/2010 - 12:20
User Badges:

Just following up to state we are still waiting on a firmware to fix this.....

hyeh Thu, 05/06/2010 - 15:59
User Badges:


Our record shows that this problem has been fixed in 1.1.42 release.

The DDTS to track this problem was CSCtf58449 - SA520 to SA520W high VPN latency and packet drop

Are you still seeing this problem with the latest firmware?



This Discussion