Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Slow ASA to ASA VPN throughput

I have a customer with a VPN network of ASA5505s running 8.4.x. The Internet circuits are all 100Mb lines and the units have full licences with oodles of memory.

If you do a rsync file copy between two sites performance is about 4-8Mb/s over the VPN. But if you do the rsync from the same local server to the same remote server but over a port forwarded SSH connection (so it is outside of the VPN) then the throughput is 70-80Mb/s (the lines are very lightly loaded).

Same ASAs, same local machines. There is lots of CPU and memory spare in the ASAs when the tests are running. The only difference I can see is that the slow transfer occurs in the VPN tunnel. 

There are no physical interface errors, no VPN crypto accelerator listed errors.

Even though I could ping without issue at 1380 bytes (and smaller) outside of the VPN tunnel to the remote ASA I still thought it might be an MTU issue across the VPN but altering 'sysopt tcpmss' makes no difference, nor does fiddling with 'crypto ipsec fragmentation'.

There is nothing listed as a relevant bug on the Cisco TAC website.

Anyone else have any suggestions.

Everyone's tags (1)
Community Member

Have you tried to use an L3

Have you tried to use an L3 device prior to the ASA5505 that would probably do the fragmentation? Or probably set the ip tcp adust-mss on the L3 device prior to the ASA? Accoring to the data sheet, it can do 100M 3DES but still depending on the VPN traffic pattern. I just wonder, the ISP is 100M but the ASA is just 5505?
Community Member

Clearly it can do 80Mb

Clearly it can do 80Mb throughput if not encrypted, and even if it only does 40-50Mb throughput for VPN that would be better than 8Mb.

This is using AES rather than 3DES - but the limiting factor doesn't appear to be the algorithm because there is CPU to spare (it never gets above 18%).

CreatePlease to create content