11-14-2011 03:54 PM - edited 03-11-2019 02:50 PM
We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco.
hostname(config)# class-map pptp-port
hostname(config-cmap)# match port tcp eq 1723
hostname(config-cmap)# exit
hostname(config)# policy-map pptp_policy
hostname(config-pmap)# class pptp-port
hostname(config-pmap-c)# inspect pptp
hostname(config-pmap-c)# exit
hostname(config)# service-policy pptp_policy interface outside
Any insight is appreciated.
Thanks
11-14-2011 05:10 PM
Hi,
Are you getting the same low throughput for regular connections across the ASA? If this is only happening when using PPTP, it may suggest a problem with MTU (cuz of the overhead that GRE causes to the packets).
Let me know.
Mike
11-14-2011 05:15 PM
The throughput on the firewall seems to be fine. I have not tested it by just NATing a public address to private but doing bandwidth testing we are getting ~70MB on a 100MB pipe. When you are referring to MTU are you talking about on the firewall or on the RRAS server, or both?
11-14-2011 06:50 PM
Mainly on the ASA...
Do you use this VPN connection to go to the internet?
Mike
11-14-2011 06:55 PM
Yes,
It is our main Internet firewall and also used for client VPN access. I have read that RRAS has some dynamic MTU negotiation that can supposedly be set to not do the negotiation but not sure if that will help.
11-14-2011 07:19 PM
What I am concern about is the Overhead that NAT and GRE can cause to the packets, hence making the packet to big and the firewall has to fragment it.... Have you changed the MTU on the ASA? Can you run a capture inside and outside of the firewall to see how big the packets are?
Mike
11-14-2011 08:04 PM
I verified that MTU on the outside interface of the ASA was 1500. I will need to look at doing a packet capture. From what I understand 1500 is as high as you can go on a 5520? What would a solution be if they were larger than that?
11-14-2011 09:05 PM
I dont really think they would be... The captures need to be on both interfaces... inside and outside, here is an example. Here is the link on how to configure the captures...
https://supportforums.cisco.com/docs/DOC-1222
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: