Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Hello,

I've got two sites connected to each other using Cisco ASA 5505's and an IP sec tunnel.

A little diagram of the setup:

[ASA 5505] --- 50Mb u/d pipe ---> [Internet] <----- 45Mb u/d pipe ---- [ASA5505]

[Hou]                                                                                             [Kat]

The throughput from Kat to the internet seems to be only about 1-3Mb/s u/d instead of 45Mb with the VPN tunnel active. Testing the connection outside of the tunnel results in full 45Mb u/d speeds.

I've also done some reading about adjusting the MTU outside value on the ASA's to be anywhere from 1350-1380. After making this change I notice no difference. If anything it makes the connection slower. I've also adjusted the tcp-mss values from anywhere between 1300 and 1380. Every tested value basically has the users saying that they cannot work at all.

If I run a "ping -f -l <size> <target>" across the tunnel, I get fragmentation errors all the way until I set the packet size to 1280 or lower. I'm afraid to set the MTU on the outside that small because I don't know what the reperucssions may be on the network.

What else should I be looking at so that we can get use of the full 45Mbs of the connection instead of functioning like we are on a T-1? Do I need to lower the MTU to the 1280 number? Change encyrption, etc.?

Configs available on request.

8 REPLIES
New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

AES is faster than 3DES, but i dont think thats your problem. What methods do you use to test your connection?

In my experience MTU problems are getting rare, but it might be a router on the way that sits with a small MTU. It shouldt be a problem to reduce it to test.

Are you seeing anything in the ASA logs?

Can you ping the remote peer IP outside the tunnel?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

I'm not too sure about the logging because I'm still somewhat of a novice when it comes to the tunneling and ASA's in general.

I'm able to ping the public IP of the peer inside and outside the tunnel. The methods of testing was a using iperf.exe and speedtest.net (which I'm told is not reliable for these tests). Iperf.exe was only showing the following results over the course of the day:

0.54 Mb/s down - 3.03 Mb/s up

3.01 Mb/s down - 4.3 Mb/s up

1.76 Mb/s down - 2.73 Mb/s up

      

*edit* with iperf.exe I was testing to and from peers on opposite ends of the tunnel.

New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Have you checked the sh interfaces to rule out duplex error on one of the ciscos?

Also can you use ftp transfer to check the speed?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Just to make sure I swapped all interfaces to be "speed 100" with "full duplex". The only uncontrolled variable is the ISP's router, but everything works at full speed if I take the VPN tunnel out of the equation.

As for the speed test:

FTP transfer speed varied between 115KB/s - 285KB/s with a 1GB file.

Not sure if this is impotant either, but about every 15-25 seconds I'll get a timeout if I run a constant 32B ping.

New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

What ASA firmwarw are you running on these devices?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Hou side is 7.2(4)

Kat side is running 8.2(5)

New Member

Re: Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Any chance you could move up in firmware. Latest is 9.1(3) I think.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
New Member

Low Throughput - ASA Site-To-Site VPN (possible MTU problem)

Did you ever get this fixed?

5146
Views
0
Helpful
8
Replies
CreatePlease login to create content