Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is there Bandwidth limitation using IPSec ?

We have an office in Asia which is connected to our New York location using l2l IPSec through the internet. They claim that they have guaranteed bandwidth of 2MB with their local ISP. They are using MRTG apllication to monitor the bandwith and it is reporting that only 512K is being utilized on the link. They think it is something with the firewall or it is because of the IPSec. We have the IPSec interface set to auto negotiation and the interface stats does not seem to be anything out of the ordinary. What could it be ?

2 REPLIES
Cisco Employee

Re: Is there Bandwidth limitation using IPSec ?

It could be drops in the path between the 2 ISP endpoints.

500Kbps for VPN are probably not enough to oversubscribe the ASA. Make sure you are not high cpu (sh cpu" will show it). And if the device is not high CPU it is probably not due to VPN oversubscription.

Then, in order to see if there is packet loss in the path I would capture packets on the endpoints and try to see if there are packets that leave one endpoint and don't make it to the other. IP ids are unique in the capture, so you can use them to identify the packets.

I hope it helps.

PK

New Member

Re: Is there Bandwidth limitation using IPSec ?

It could be the application. The latency between Asia and New York might be to high to let the TCP frame size

ramp up.Try putting some sort of WAN killer behind it and see what your true non-application restricted throughput is.

To your original question. No, there is no bandwidth limitation in IPSEC. Only hardware limitations of the crypto engin, but that only applies when you get into much higher BW numbers. (Unless you have a 2611 which  does under 1M of 3DES throughput.)

Another thing your may want to consider is the MTU of the link. Try setting the MTU down to 1360 on the incoming interfaces or  ip tcp adjust-mss 1360. This will prevent the applications from over ramping the TCP windows.

1023
Views
0
Helpful
2
Replies
CreatePlease to create content