Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Slow ASA to ASA VPN throughput

Unanswered Question

I have a customer with a VPN network of ASA5505s running 8.4.x. The Internet circuits are all 100Mb lines and the units have full licences with oodles of memory.

If you do a rsync file copy between two sites performance is about 4-8Mb/s over the VPN. But if you do the rsync from the same local server to the same remote server but over a port forwarded SSH connection (so it is outside of the VPN) then the throughput is 70-80Mb/s (the lines are very lightly loaded).

Same ASAs, same local machines. There is lots of CPU and memory spare in the ASAs when the tests are running. The only difference I can see is that the slow transfer occurs in the VPN tunnel. 

There are no physical interface errors, no VPN crypto accelerator listed errors.

Even though I could ping without issue at 1380 bytes (and smaller) outside of the VPN tunnel to the remote ASA I still thought it might be an MTU issue across the VPN but altering 'sysopt tcpmss' makes no difference, nor does fiddling with 'crypto ipsec fragmentation'.

There is nothing listed as a relevant bug on the Cisco TAC website.

Anyone else have any suggestions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Patrick Lopez Mon, 05/12/2014 - 14:15
User Badges:
Have you tried to use an L3 device prior to the ASA5505 that would probably do the fragmentation? Or probably set the ip tcp adust-mss on the L3 device prior to the ASA? Accoring to the data sheet, it can do 100M 3DES but still depending on the VPN traffic pattern. I just wonder, the ISP is 100M but the ASA is just 5505?


This Discussion