Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
7
Replies

PPTP performance through ASA5520 very poor

mabouchard
Level 1
Level 1

‎11-14-2011 03:54 PM - edited ‎03-11-2019 02:50 PM

We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco.

hostname(config)# class-map pptp-port

hostname(config-cmap)# match port tcp eq 1723

hostname(config-cmap)# exit

hostname(config)# policy-map pptp_policy

hostname(config-pmap)# class pptp-port

hostname(config-pmap-c)# inspect pptp

hostname(config-pmap-c)# exit

hostname(config)# service-policy pptp_policy interface outside

Any insight is appreciated.

Thanks

Labels:
0 Helpful
7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-14-2011 05:10 PM

Hi,

Are you getting the same low throughput for regular connections across the ASA? If this is only happening when using PPTP, it may suggest a problem with MTU (cuz of the overhead that GRE causes to the packets).

Let me know.

Mike

Mike
0 Helpful

mabouchard
Level 1
Level 1
In response to Maykol Rojas

‎11-14-2011 05:15 PM

The throughput on the firewall seems to be fine. I have not tested it by just NATing a public address to private but doing bandwidth testing we are getting ~70MB on a 100MB pipe. When you are referring to MTU are you talking about on the firewall or on the RRAS server, or both?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mabouchard

‎11-14-2011 06:50 PM

Mainly on the ASA...

Do you use this VPN connection to go to the internet?

Mike

Mike
0 Helpful

mabouchard
Level 1
Level 1
In response to Maykol Rojas

‎11-14-2011 06:55 PM

Yes,

It is our main Internet firewall and also used for client VPN access. I have read that RRAS has some dynamic MTU negotiation that can supposedly be set to not do the negotiation but not sure if that will help.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mabouchard

‎11-14-2011 07:19 PM

What I am concern about is the Overhead that NAT and GRE can cause to the packets, hence making the packet to big and the firewall has to fragment it.... Have you changed the MTU on the ASA? Can you run a capture inside and outside of the firewall to see how big the packets are?

Mike

Mike
0 Helpful

mabouchard
Level 1
Level 1
In response to Maykol Rojas

‎11-14-2011 08:04 PM

I verified that MTU on the outside interface of the ASA was 1500. I will need to look at doing a packet capture. From what I understand 1500 is as high as you can go on a 5520? What would a solution be if they were larger than that?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mabouchard

‎11-14-2011 09:05 PM

I dont really think they would be... The captures need to be on both interfaces... inside and outside, here is an example. Here is the link on how to configure the captures...

https://supportforums.cisco.com/docs/DOC-1222

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card