Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Hub and Spoke VPN network, very slow inter-site

Hello all, hoping someone can give a quick bit of advice...

I have 20 dispersed sites each with 5Mb leased lines, and a central hub site with a 100Mb uplink to a top tier service provider. All of the remote sites talk to each other through the hub. This is essentially just 20 L2L connections with hairpinning enabled on the outside int of the hub site.

The hub can talk to all sites at 5Mb (upload and download to those sites at 500KB/s), and with a direct tunnel between any 2 of them I get the full 5Mb, but going via the hub site the maximum transfer speed I can achieve is only 100KB/s.

Is this to be expected with the additional encaps/decaps and encrypts/decrypts that going over the 2nd tunnel to reach the destination brings? Or does it sound as though things aren't quite functioning correctly?

All performance figures on the hub firewall look absolutely fine, pretty constant 20% cpu usage and 50% mem usage, no unusual interface statistics etc. All firewalls are ASA5520.

Any thought or suggestion would be greatly appreciated.


Community Member

Re: Hub and Spoke VPN network, very slow inter-site

Anyone have any experience with this kind of setup, or any idea what the performance impact should be assuming 50ms latency between all remote sites and the hub? I understand that the decryption and encryption on the hub will add some delay, but I wouldn't expect an 80% drop in transfer rate between any 2 remote sites...

I'm at a loss so any thoughts greatly appreciated?


Re: Hub and Spoke VPN network, very slow inter-site


Is this a DMVPN??


Re: Hub and Spoke VPN network, very slow inter-site

Ok so you have 20 L2L and u are doing hairpinnig. I know that the encp/decap -- encap/decap will produce a delay. I don´t know id ASA are the best option for fully meshed VPNs.

CreatePlease to create content