I have a site to site vpn setup between a 7206vxr and a 2801. Everytime I bring the tunnel interfaces up, the machines at the remote end begin to experience extreme latency. I have tried adjusting the bandwidth on the tunnel interface and decreasing the MSS setting on the tunnel interface but with no luck. Below are the configs and output of the show commands:
Is the slowness noted when using any type of secure applications (sharepoints, exchange). If so you might be running into a packet fragmentation issue (encrypted packet hate it). try adjusting down the MTU allowed, either on the routers or the end-node hosts. Best way I've found, is to use a MTU adjustment tool on the workstations and set it around 1300 (same amount I think the cisco VPN client adjusts to). Me
The slowness occurs as soon as the I perform a "no shut" on the interfaces and the tunnel comes up. Unfortunately, due to the number of hosts, I can't change the MTU size on each host. I tried changing the MTU on the router interface but get the same results as before... extreme latency almost immediately.
On the router you can try additional commands mss-adjust and PMTU Dicovery (there is a known DOS issue with that though), along with adjusting the MTU on the interface. They seem to be intermittnent in effect. If the hosts are running a Local FireWAll, they may block the PMTUD notifications as bad traffic and ignore the router trying to help out. These commands have helped intermittnetly for me, as they change/modify the hosts with security updates..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...