We have a VPN Tunnel established between a ASA5510 at our home office and a ASA5505 at a remote office.
The tunnel is working properly, however the performance across the IPSEC tunnel is very poor. The tunnel is setup so that the remote 5505 sends 100% of it's traffic back to the home office 5510 (including regular Internet traffic).
The strange part of this problem is that on the remote 5505 side we can easily get 4.5 Mbps downloads from the Internet, yet we can barely break 1 Mbps when talking to internal devices on the other side of the home office 5510.
So to summarize...
ALL traffic from the 5505 goes over the IPSEC tunnel which terminates on a 5510. The 5510 serves as the VPN endpoint as well as the Internet Firewall. When users on the 5505 side surf the Internet (which ultimately goes out the 5510), it is fast, while users on the 5505 side that are accessing resoures on the network that is on the other side of the 5510 are slow.
Why would all internal tunneled traffic be slow, while all Internet traffic (also tunneled) be fast?
We have analyized each leg of the connection and everything in between seems to have proper performance, and we have also experimented with the fragmentation settings with no success.
Re: ASA5510 to ASA5505 Slow Performance over Tunnel
I believe we have resolved this issue. It appears that the ASA 5505 was not properly auto negotiating with the Cisco 3550 switch that it was connected to. There also appears to be a similar auto negotiation problem with various brands of cable modems as well. When we set the 5505's outside interface port to 10 Mbps / Full Duplex (according to the ISP, the 3550 was statically set to 10 Full), we then began receiving the throughput we expected to see.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...