cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2010
Views
0
Helpful
6
Replies

site to site VPN latency issues

patgarred
Level 1
Level 1

Hello, we'er having slowness issue over our P2P VPN. We hava hub and spoke setup.

Head

PIX 515e

3 spokes

PIX 501's

all are simple IPSEC tunnels with DES encryption. I've checked all connetions for speed/duplex issues, all seem fine. I was wondering about MTU issues. If that's the case, what are my best options to resolve the latency.

The reason I think its an MTU issue is. From one of the spoke sites, I can connect with my XP laptop and browse without much trouble, but 2000 machine are god awfull slow. I checked the MTU of my laptop and it's set to 1300. The 2000 machines are default which I'm assuming is 1500, thus my grand conclusion.

Any help on this is greatly appreciated.

6 Replies 6

ehirsel
Level 6
Level 6

It could be an mtu issue. On the spoke and head-end units, run the show sysopt command and note if any connection tcpmss is not 1380. That is the default value that the pix uses to work properly when it terminates IPSec vpn tunnels.

Is any spoke site connected via PPPoE (or PPPoA in the provider network)? If so, then the effecive interface mtu is 1492, and if you do not allow icmp to and from the pix (note: this is not the same as through the pix) then path mtu discovery is broken. Your XP ws is using an mtu of 1300 so it won't encounter the problem. Either adjust the spoke pix sysopt connection tcpmss to something like 1300, or adjust the interface mtu to 1492.

Let me know what you find.

Thanks for the reply,

Here's a screen copy of that command. it looks like tcpmss is set to 1380.

privatenetwork# sh sysopt

sysopt security fragguard

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

no sysopt route dnat

Also, the head site is a 10Mb fibre to Internet and the spokes are T1's one is fractional, so not PPPoE

Thanks for you help.

Patrick

Try adjusting the mtu setting on the ms win 2000 client to 1300 for the virtual adapter and then connect. Let me know how it turned out.

that's fine for testing, except that most of the clients at this site are thin clients (all but 3). WYSE termianls, I was told that you cannot change the MTU setting on them. Also, I don't want to have to change workstation settings. Can't the settings in the PIX be changed to remmedy this?

On the pix use this command:

sysopt connection tcpmss x where x can be anything upto 1460; the minimum can be lower than 512 though I do not know the exact value.

Try settting x to 1300 and see if the win 2000 clients can connect. I would make the change on one spoke site first, as that is where the clients reside.

Let me know how it proceeds.

Thanks for you help ehirsel,

I'll let you know how the test goes when i get a chance to impliment the changes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: