Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn traffic slower than expected

I set up a site to site vpn tunnel between a 2621x router and an ASA 5510 (T3 line for router and E1 for ASA). Speeds is expected to be slower than "internet" but what I am seeing is very very slow speeds. This happens with anything from downloading (large and small) files across the tunnel, citrix connections across the tunnel, remote desktop controlling a machine across the tunnel, etc. Pings across the tunnel result in these times:

bytes=32 time=206ms TTL=127

bytes=32 time=177ms TTL=127

bytes=32 time=202ms TTL=127

bytes=32 time=229ms TTL=127

Both endpoints are outside interfaces that all internet traffic also passes through from the respective sites. The MTU setting on the router is 4470 and the ASA is the default 1500. I'm not sure if that should have an effect on anything. I also disabled pre-fragmentation and no luck.

Anythign else I can look for and can do to get this to improve?


Some more notes:

Come to think of it, the way the tunnel is setup is that it has 2 peers (2 ISPs), both being NAT addresses of the outside interface of the ASA. I have it configured as such on my 2621x router:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key somepassword address

crypto isakmp key somepassword address


crypto ipsec transform-set TUNNEL esp-3des esp-md5-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description SiteToSite Tunnel to Remote Site

set peer

set peer

set transform-set TUNNEL

match address 107

What this should do, I think, is that it will only connect to one peer, and if that fails, should connect to the other. The dynamics behind I don't know like its whoever gets connected first will be the endpoint or there is some priority. In anycase, each time I will only see one endpoint being connected but is the traffic being "split" in half between the two? Is that why it would be slow?


Re: vpn traffic slower than expected

Remove the one end point IP address and try with one end point IP alone.

CreatePlease to create content