Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
2
Replies

Slow ASA to ASA VPN throughput

raza.rizvi
Level 1
Level 1

‎05-12-2014 01:32 PM

I have a customer with a VPN network of ASA5505s running 8.4.x. The Internet circuits are all 100Mb lines and the units have full licences with oodles of memory.

If you do a rsync file copy between two sites performance is about 4-8Mb/s over the VPN. But if you do the rsync from the same local server to the same remote server but over a port forwarded SSH connection (so it is outside of the VPN) then the throughput is 70-80Mb/s (the lines are very lightly loaded).

Same ASAs, same local machines. There is lots of CPU and memory spare in the ASAs when the tests are running. The only difference I can see is that the slow transfer occurs in the VPN tunnel. 

There are no physical interface errors, no VPN crypto accelerator listed errors.

Even though I could ping without issue at 1380 bytes (and smaller) outside of the VPN tunnel to the remote ASA I still thought it might be an MTU issue across the VPN but altering 'sysopt tcpmss' makes no difference, nor does fiddling with 'crypto ipsec fragmentation'.

There is nothing listed as a relevant bug on the Cisco TAC website.


Anyone else have any suggestions.

Labels:
0 Helpful
2 Replies 2

jpl861
Level 4
Level 4

‎05-12-2014 02:15 PM

Have you tried to use an L3 device prior to the ASA5505 that would probably do the fragmentation? Or probably set the ip tcp adust-mss on the L3 device prior to the ASA? Accoring to the data sheet, it can do 100M 3DES but still depending on the VPN traffic pattern. I just wonder, the ISP is 100M but the ASA is just 5505?
0 Helpful

raza.rizvi
Level 1
Level 1
In response to jpl861

‎05-12-2014 02:19 PM

Clearly it can do 80Mb throughput if not encrypted, and even if it only does 40-50Mb throughput for VPN that would be better than 8Mb.

This is using AES rather than 3DES - but the limiting factor doesn't appear to be the algorithm because there is CPU to spare (it never gets above 18%).

0 Helpful
Customers Also Viewed These Support Documents