05-12-2014 01:32 PM
I have a customer with a VPN network of ASA5505s running 8.4.x. The Internet circuits are all 100Mb lines and the units have full licences with oodles of memory.
If you do a rsync file copy between two sites performance is about 4-8Mb/s over the VPN. But if you do the rsync from the same local server to the same remote server but over a port forwarded SSH connection (so it is outside of the VPN) then the throughput is 70-80Mb/s (the lines are very lightly loaded).
Same ASAs, same local machines. There is lots of CPU and memory spare in the ASAs when the tests are running. The only difference I can see is that the slow transfer occurs in the VPN tunnel.
There are no physical interface errors, no VPN crypto accelerator listed errors.
Even though I could ping without issue at 1380 bytes (and smaller) outside of the VPN tunnel to the remote ASA I still thought it might be an MTU issue across the VPN but altering 'sysopt tcpmss' makes no difference, nor does fiddling with 'crypto ipsec fragmentation'.
There is nothing listed as a relevant bug on the Cisco TAC website.
Anyone else have any suggestions.
05-12-2014 02:15 PM
05-12-2014 02:19 PM
Clearly it can do 80Mb throughput if not encrypted, and even if it only does 40-50Mb throughput for VPN that would be better than 8Mb.
This is using AES rather than 3DES - but the limiting factor doesn't appear to be the algorithm because there is CPU to spare (it never gets above 18%).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide