We have an office in Asia which is connected to our New York location using l2l IPSec through the internet. They claim that they have guaranteed bandwidth of 2MB with their local ISP. They are using MRTG apllication to monitor the bandwith and it is reporting that only 512K is being utilized on the link. They think it is something with the firewall or it is because of the IPSec. We have the IPSec interface set to auto negotiation and the interface stats does not seem to be anything out of the ordinary. What could it be ?
It could be drops in the path between the 2 ISP endpoints.
500Kbps for VPN are probably not enough to oversubscribe the ASA. Make sure you are not high cpu (sh cpu" will show it). And if the device is not high CPU it is probably not due to VPN oversubscription.
Then, in order to see if there is packet loss in the path I would capture packets on the endpoints and try to see if there are packets that leave one endpoint and don't make it to the other. IP ids are unique in the capture, so you can use them to identify the packets.
It could be the application. The latency between Asia and New York might be to high to let the TCP frame size
ramp up.Try putting some sort of WAN killer behind it and see what your true non-application restricted throughput is.
To your original question. No, there is no bandwidth limitation in IPSEC. Only hardware limitations of the crypto engin, but that only applies when you get into much higher BW numbers. (Unless you have a 2611 which does under 1M of 3DES throughput.)
Another thing your may want to consider is the MTU of the link. Try setting the MTU down to 1360 on the incoming interfaces or ip tcp adjust-mss 1360. This will prevent the applications from over ramping the TCP windows.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :