05-19-2012 06:28 AM
Hi all,
I have site to site vpn where i am facing slow resposne when i access or ping other site ,Please let what are the reason for slowness.
05-19-2012 07:00 AM
How fast are your connections? Do you see a slow ping response when you ping from device to device on their external addresses? What devices are you using? What is the CPU showing on the devices, eg are they under load?
Sent from Cisco Technical Support iPhone App
05-19-2012 08:42 PM
Hi Jibin,
If your internet access is faster as compared to what you see across the VPN tunnel then please follow the below mentioned steps.
I hope scenario at your end is somethinglike this:
Host A(10.10.10.1)----------(ASA1)=======VPN Tunnel========(ASA2)----------Host B(192.168.10.1)
Now you are saying that the ping between the host A and host B is slow. Please correct me if I am wrong but if I am correct then please try the ping test.
From Host A (if it is a windows machine) open the command prompt and enter this command: ping -f -l 1400 192.168.10.1.
In general you will get this message: "Packet needs to be fragmented but DF set" or you will see a successful reply.
If you see the packet need to be fragmented message then try to reduce the size of the packet being sent across the VPN tunnel i.e. instead of using 1400, try 1380 and the command becomes ping -f -l 1380 192.168.10.1. you will have to keep reducing the size of the packet as we did from 1400 to 1380 and further to 1360 and so on until you receive a successful reply.
Try the same thing from Host B to Host A and lets say you receieve a successful reply at 1350 then run the command on the ASA "show run all sysopt" and you will see some what similar output:
no sysopt connection timewait
sysopt connection tcpmss 1380 <--This is the command that we need to play with
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
For example, if you recieve reply at 1350 then reduce 50 ( approx. ipsec header size) from 1350 and set the sysopt connection tcp mss to 1300 and if you received reply at 1300 then after reducing 50, we will set the tcp mss to 1250.
i.e. on the ASA set tcp mss size to 1300 or 1250.
Also apply this command: crypto ipsec df-bit clear-df inside on both the ASA's.
Please follow these steps on both the ASA's and let me know if this helps.
Thanks,
Vishnu Sharma
05-21-2012 05:55 AM
Hi ,
Thank you for replay ,it is good steps to follow
crypto ipsec df-bit clear-df inside : what this command does
05-21-2012 06:04 AM
Hi Jibin,
Please go through the link: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html#wp1023535
This link will give you clear understanding of this command.
Thanks,
Vishnu Sharma
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide