We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco.
Are you getting the same low throughput for regular connections across the ASA? If this is only happening when using PPTP, it may suggest a problem with MTU (cuz of the overhead that GRE causes to the packets).
The throughput on the firewall seems to be fine. I have not tested it by just NATing a public address to private but doing bandwidth testing we are getting ~70MB on a 100MB pipe. When you are referring to MTU are you talking about on the firewall or on the RRAS server, or both?
It is our main Internet firewall and also used for client VPN access. I have read that RRAS has some dynamic MTU negotiation that can supposedly be set to not do the negotiation but not sure if that will help.
What I am concern about is the Overhead that NAT and GRE can cause to the packets, hence making the packet to big and the firewall has to fragment it.... Have you changed the MTU on the ASA? Can you run a capture inside and outside of the firewall to see how big the packets are?
I verified that MTU on the outside interface of the ASA was 1500. I will need to look at doing a packet capture. From what I understand 1500 is as high as you can go on a 5520? What would a solution be if they were larger than that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :