Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Maximizing IPSec throughput in ASA 5550

Hello,

My company has a gigabit fiber connection at 2 sites.  We originally had four Cisco ASA 5520s (1 active/standby at each site) and the VPN throughput using 3DES/SHA was 200-250Mbps between sites, which is the performance limit of the 5520 according to the Cisco site.  We needed to upgrade in order to utilize more of our gigabit line so I got four of the Cisco ASA 5550s (active/standby at each site as well).  According to Cisco site the maximum VPN throughput is about 450Mbps.  I set up the new ASAs with the exact same configuration and they are still only getting between 200-250Mbps throughput.  I don't think the bottleneck is either of the connections because I can download from the web at up to 75MB/sec at both sites.  Also, although they aren't a point-to-point gigabit line, they are very close geographically and I know there isn't any bottleneck between them.  I tried changing around the IPSec configuration between 3DES, AES 128, and AES 256 but all have almost identical performance.  I even tried DES just for kicks but no difference in performance.  Here is snipet from my VPN config:

crypto ipsec transform-set SITE-1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpnmap 10 match address ACL_SITE1
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer x.x.x.x
crypto map vpnmap 10 set transform-set SITE-1
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200
no crypto isakmp nat-traversal

From my experience, the firewalls don't have an exotic configuration.  If it means anything, the access lists aren't that large (about 100 lines at each site).  Also the tests produce the same results day or night.  Any ideas of what can be causing this?  I probably need to just open a ticket with Cisco TAC but wanted to see if anyone had suggestions first.  Thanks!

Everyone's tags (3)
1871
Views
0
Helpful
0
Replies
CreatePlease to create content