Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN stalls TCP connections


We are trying to install a P2P VPN tunnel using Cisco 7120+SA-ISA as endpoints.

Intranet <--> 7120 <--> WIFI LINK <--> 7120 <--> Intranet

WiFi link, routing and so on works perfectly, iperf shows us 26 Mbits/sec real performance which is fine for 801.11G. Interfaces on 7120s are clean of any errors.

When we enable IPSEC, tunnel is established and visible with "show crypto" commands, status seems to be good.

Wheh we try to ping over the vpn, it works.

When we try to ssh over vpn, it works as well, as long as not much data is passing through.

When we try something intensive like iperf test, scp or simple "find /" in ssh, that connection simply stalls. New connections can be opened in parallel or icmp echo requests can be running without interruption. It all seems as if VPN tunnel disrupt the tcp connection badly when it gets intensive.

Here is config from one of the routers, another is basically the same with different IPs and adjusted match list.


crypto isakmp policy 10

hash sha

authentication pre-share

crypto isakmp key <censored> address

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap local-address FastEthernet0/1

crypto map toindustry 10 ipsec-isakmp

set peer

set transform-set myset

match address 101

no access-list 101

access-list 101 permit ip any


Plus the "crypto map toindustry" is set on outside interface.

Can someone advise what this could be? Those whole symptoms somehow remind me of duplex mismatches :) But this is not the case here.



Re: VPN stalls TCP connections

You need to increase the MTU size for the VPN connection. Small MTU size for a VPN connection can cause large packets to get fragmented and sometimes they may get dropped. Increase the MTU size using command "mtu" on both routers. Following link may help you