I've got two sites using ASA 5505's connected with an IPsec tunnel.
Site 1 has a 50Mb symmetrical pipe
Site 2 has a 45Mb symmetrical pipe
Site 1 has normal access speeds and contains all of the servers, etc.
Site 2 accesses all of the resources from Site 1
Site 2 gets a maximum of 4Mbs throughput through every single test I've thrown at it. No matter what I change, I can't seem to get normal performance of 45Mb/s.
If I disable the VPN, then I get the full 45Mb/s speed from Site 2 to the internet.
What I've done so far:
I've set the MTU on the outside interface of each ASA to be anywhere from 1300-1380 as suggested in some Cisco documents. I've also adjusted the TCP-MSS value from 1300-1380 and this made the connection so slow that my users all complained that they were unable to work.
If I run a test for fragmentation (Ex. "ping -f -l 1380 <site2>") I get fragmentation messages until I reduce the packet size to 1280 or below, but I don't want to set my MTU values on the ASA that low because I don't know the repercussions.
Where are you doing these PING tests to determine MAX MTU along the path? Are you doing these tests over vpn tunnel or internet?
You can try following deal with fragmentation:
>>crypto ipsec fragementation before-encryption
>>crypto ipsec df-bit clear-df outside
The DF bit with IPSec tunnels feature lets you specify whether the security appliance can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether a device is allowed to fragment a packet.
Use the crypto ipsec df-bit command in global configuration mode to configure the security appliance to specify the DF bit in an encapsulated header.
When you encapsulate tunnel mode IPSec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also this setting is appropriate if you do not know the available MTU size.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...