Hub and Spoke VPN network, very slow inter-site

Unanswered Question
Jul 13th, 2010
User Badges:

Hello all, hoping someone can give a quick bit of advice...

I have 20 dispersed sites each with 5Mb leased lines, and a central hub site with a 100Mb uplink to a top tier service provider. All of the remote sites talk to each other through the hub. This is essentially just 20 L2L connections with hairpinning enabled on the outside int of the hub site.

The hub can talk to all sites at 5Mb (upload and download to those sites at 500KB/s), and with a direct tunnel between any 2 of them I get the full 5Mb, but going via the hub site the maximum transfer speed I can achieve is only 100KB/s.

Is this to be expected with the additional encaps/decaps and encrypts/decrypts that going over the 2nd tunnel to reach the destination brings? Or does it sound as though things aren't quite functioning correctly?

All performance figures on the hub firewall look absolutely fine, pretty constant 20% cpu usage and 50% mem usage, no unusual interface statistics etc. All firewalls are ASA5520.

Any thought or suggestion would be greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jacobs_son Tue, 07/13/2010 - 13:34
User Badges:

Anyone have any experience with this kind of setup, or any idea what the performance impact should be assuming 50ms latency between all remote sites and the hub? I understand that the decryption and encryption on the hub will add some delay, but I wouldn't expect an 80% drop in transfer rate between any 2 remote sites...

I'm at a loss so any thoughts greatly appreciated?


Diego Armando C... Wed, 07/14/2010 - 07:33
User Badges:
  • Bronze, 100 points or more

Ok so you have 20 L2L and u are doing hairpinnig. I know that the encp/decap -- encap/decap will produce a delay. I don´t know id ASA are the best option for fully meshed VPNs.


This Discussion