857 VPN throughput

tdhb..hiq · ‎07-07-2010

I have just setup a site to site VPN and have concerns about the throughput.

It is a hub and spoke topoligy with a ASA 5510 at the hub with a speed of 8Mb each way. Out on the spoke ADSL 857 routers with a download of 10Mb and 1Mb up. But the download speed over the VPN is only about 1.5 - 2Mb.

I have tested with the dreded PPTP VPN and get 8Mb download from the hub.

Checking the CPU of the router it not getting much higher than 10%.

I have adjusted mss on the dialer interface of the 857 to try and limit fragmentation.

ip tcp adjust-mss 1380

I think the ASA has these settings as standard.

The VPN is using AES128 SHA DH5 with perfect forward secrecy.

From the specs that I have seen the 857 should be able to do at least 8Mb through put with AES.

See table 3 on page 9 of the attached doc.

I am I expecting too much from it, should I have gone with a 877? Is there something else I can do to trouble shoot or tweak?

Scotty

Jason Gervia · ‎07-07-2010

The number you quote is probably for 1400 byte packets with no variation - encryption speed usually has to do with the amt of packets that need to be encrypted, and what needs to be done with them.

I would start with trying a VPN tunnel with less encryption (3des vs AES) and see if that gives you any improvement. I would also remove any features (QOS, etc) that the 857 may be doing to keep the packet processing path in the router as simple as possible.

You may also want to try sniffing/capturing on the ASA for the flow to see if you see TCP stream issues (lots of fragmentation, retransmits, etc) to narrow down where the issue lies.

--Jason

tdhb..hiq · ‎07-08-2010

Hi Jason,

thanks for the suggestions. I have tried 3des, but with the same results. Nothing fancy in the router config. I will try a capture when I have the chance though.

Regards,

Scott