How fast are your connections? Do you see a slow ping response when you ping from device to device on their external addresses? What devices are you using? What is the CPU showing on the devices, eg are they under load?
Now you are saying that the ping between the host A and host B is slow. Please correct me if I am wrong but if I am correct then please try the ping test.
From Host A (if it is a windows machine) open the command prompt and enter this command: ping -f -l 1400 192.168.10.1.
In general you will get this message: "Packet needs to be fragmented but DF set" or you will see a successful reply.
If you see the packet need to be fragmented message then try to reduce the size of the packet being sent across the VPN tunnel i.e. instead of using 1400, try 1380 and the command becomes ping -f -l 1380 192.168.10.1. you will have to keep reducing the size of the packet as we did from 1400 to 1380 and further to 1360 and so on until you receive a successful reply.
Try the same thing from Host B to Host A and lets say you receieve a successful reply at 1350 then run the command on the ASA "show run all sysopt" and you will see some what similar output:
no sysopt connection timewait
sysopt connection tcpmss 1380 <--This is the command that we need to play with
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
For example, if you recieve reply at 1350 then reduce 50 ( approx. ipsec header size) from 1350 and set the sysopt connection tcp mss to 1300 and if you received reply at 1300 then after reducing 50, we will set the tcp mss to 1250.
i.e. on the ASA set tcp mss size to 1300 or 1250.
Also apply this command: crypto ipsec df-bit clear-df inside on both the ASA's.
Please follow these steps on both the ASA's and let me know if this helps.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...