×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
ju_mobile Sat, 05/19/2012 - 07:00
User Badges:

How fast are your connections? Do you see a slow ping response when you ping from device to device on their external addresses? What devices are you using? What is the CPU showing on the devices, eg are they under load?


Sent from Cisco Technical Support iPhone App

Vishnu Sharma Sat, 05/19/2012 - 20:42
User Badges:
  • Cisco Employee,

Hi Jibin,


If your internet access is faster as compared to what you see across the VPN tunnel then please follow the below mentioned steps.


I hope scenario at your end is somethinglike this:


Host A(10.10.10.1)----------(ASA1)=======VPN Tunnel========(ASA2)----------Host B(192.168.10.1)


Now you are saying that the ping between the host A and host B is slow. Please correct me if I am wrong but if I am correct then please try the ping test.


From Host A (if it is a windows machine) open the command prompt and enter this command: ping -f -l 1400 192.168.10.1.


In general you will get this message: "Packet needs to be fragmented but DF set" or you will see a successful reply.


If you see the packet need to be fragmented message then try to reduce the size of the packet being sent across the VPN tunnel i.e. instead of using 1400, try 1380 and the command becomes ping -f -l 1380 192.168.10.1. you will have to keep reducing the size of the packet as we did from 1400 to 1380 and further to 1360 and so on until you receive a successful reply.


Try the same thing from Host B to Host A and lets say you receieve a successful reply at 1350 then run the command on the ASA "show run all sysopt" and you will see some what similar output:


no sysopt connection timewait

sysopt connection tcpmss 1380 <--This is the command that we need to play with

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp outside


For example, if you recieve reply at 1350 then reduce 50 ( approx. ipsec header size) from 1350 and set the sysopt connection tcp mss to 1300 and if you received reply at 1300 then after reducing 50, we will set the tcp mss to 1250.


i.e. on the ASA set tcp mss size to 1300 or 1250.


Also apply this command: crypto ipsec df-bit clear-df inside on both the ASA's.


Please follow these steps on both the ASA's and let me know if this helps.



Thanks,

Vishnu Sharma

rgk013013 Mon, 05/21/2012 - 05:55
User Badges:

Hi ,



Thank you for replay ,it is  good steps to follow


crypto ipsec df-bit clear-df inside : what this command does

Actions

This Discussion