Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RV325 - Very poor VPN Gateway-to-Gateway tunnel throughput

I have configured a Gateway-to-Gateway tunnel and the performance is horrible, especially downstream. I can upload via FTP at a speed of about 5.5 MByte/s but during a upload the routers GUI is non responsive and it also does not respond to SNMP queries. Download speed, also via FTP, is about 200 kByte/s !?!?!?!?

The connection to the internet is through a 250/250 Mbps fiber connection. The speed to the internet is great, i can upload/download via FTP att speeds exceeding 25 MByte/s, it is only the speed thought the tunnel that is a problem.

I have tested the same tunnel configuration with a Cisco ASA 5506 and then everything works as expected.

Best regards,

Fredrik

 

5 REPLIES
VIP Purple

I don;t use RV325's, but you

I don;t use RV325's, but you may have an MTU issue.  Does the RV325 support adjusting the MSS (like the ASA does)?  If so, try making it lower and see if there is any impact.

New Member

Thanks Philip for the

Thanks Philip for the suggestion. I have changed the MTU size for the WAN1 interface, I have tried different values between 1100 to 1400 and the performance is still very poor, especially when downloading files.

One strange thing is that sometimes the download speed is a little bit better, about 1-2 MBytes/s but most of time is the speed is 100-200 kByte/s. But nowhere near the advertised IPSec performance of the router (100Mbps).

The problem only exist when using the Gateway-to-Gateway IPSec tunnel, internet speed and latency is great, up to 25 MBytes/s up & down and ping as low as 6 ms.

Also using the Cisco AnyConnect Mobility Client on a computer on the LAN works as expected.

 

VIP Purple

It smells like your service

It smells like your service provider might be shaping traffic then.  Perhaps they have accidentally shaped IPSec traffic as well.  I would try contacting them and ask if they do shaping.

Bronze

I don't have first-hand

I don't have first-hand experience with the RV325, but for what it's worth you may want to be skeptical of the advertised 100 Mbps throughput number.  I remember with the older RV4000s, site to site VPN would be 2 Mbps at best.  Newer generation gear should be better, but the point is it's very hard to provide high IPSec throughput beyond 10 Mbps without specialized hardware.

That being said, I'd try these steps if not done already:

1. Update to latest firmware

2. Disable SPI

3. If possible to modify the phase 2 encryption settings on the tunnel, try something simple and mainstream like 128-bit AES with SHA-1.

New Member

Thanks for all the

Thanks for all the suggestions!

I have found something i the logs that might have some relevance to the problem, every time the tunnel is established and "sent QI2" (#2 and #6) is present in the log, the speed is about 10 Mbps and the response time is ~16 ms., if "Sent QI2" is not present in the log the speed is below 1 Mbps and the response time is ~14 ms.

Does anyone know what "Sent QI2" means?

2016-03-11, 12:06:55 VPN Log [g2gips0] #2: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x610723c4 < 0xc0d8e24a}

2016-03-11, 18:54:55 VPN Log [g2gips0] #3: [Tunnel Established] IPsec SA established {ESP=>0x446096a7 < 0xc8e7d7d1}

2016-03-12, 00:32:10 VPN Log [g2gips0] #4: [Tunnel Established] IPsec SA established {ESP=>0xbc27847b < 0xcf9cff0c}

2016-03-12, 01:37:11 VPN Log [g2gips0] #6: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x43272cde < 0xc8612d8f}

386
Views
0
Helpful
5
Replies
CreatePlease login to create content