Hello, we'er having slowness issue over our P2P VPN. We hava hub and spoke setup.
all are simple IPSEC tunnels with DES encryption. I've checked all connetions for speed/duplex issues, all seem fine. I was wondering about MTU issues. If that's the case, what are my best options to resolve the latency.
The reason I think its an MTU issue is. From one of the spoke sites, I can connect with my XP laptop and browse without much trouble, but 2000 machine are god awfull slow. I checked the MTU of my laptop and it's set to 1300. The 2000 machines are default which I'm assuming is 1500, thus my grand conclusion.
It could be an mtu issue. On the spoke and head-end units, run the show sysopt command and note if any connection tcpmss is not 1380. That is the default value that the pix uses to work properly when it terminates IPSec vpn tunnels.
Is any spoke site connected via PPPoE (or PPPoA in the provider network)? If so, then the effecive interface mtu is 1492, and if you do not allow icmp to and from the pix (note: this is not the same as through the pix) then path mtu discovery is broken. Your XP ws is using an mtu of 1300 so it won't encounter the problem. Either adjust the spoke pix sysopt connection tcpmss to something like 1300, or adjust the interface mtu to 1492.
that's fine for testing, except that most of the clients at this site are thin clients (all but 3). WYSE termianls, I was told that you cannot change the MTU setting on them. Also, I don't want to have to change workstation settings. Can't the settings in the PIX be changed to remmedy this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...