slow/lost packets over IPSEC VPN to ASA5505. Ideas?
I've read a few different posts about similar issues, but most of them do not really recommend any solutions.
- I have an ASA5505 setup at a data center in front of a few servers.
- I am succesfully making a VPN tunnel to the ASA from my remote location using with the Cisco VPN client
- I also tried the Shrew VPN client and it's working as well.
- I remotely work from a few different locations which use different ISPs (eg Rogers Cable, Bell DSL, Allstream, etc)
- I generally remote desktop from my windows 7 laptop into the windows 2008 servers at the data center and work on the servers.
- We have anywhere from 1 - 3 vpn tunnels going at a time from different people's laptops (1-3 different people are working).
-All laptops are having problems keeping the remote desktop (RDP) session up. RDP drops frequently, and at random times. Sometimes 2 minutes, sometimes 1 hour. etc.
-I ran an extended Ping test from my laptop to the remote server and I am getting about 3-5% packet loss. Not consistent, but I can see every few minutes 5-10 packets are dropped. I'm sure these dropped packets are causing RDP to drop.
- The VPN connection usually stays up (I don't have to login again), and sometimes the RDP session re-connects itself after a couple tries.
- I am also getting copy speeds of about 300-400 KB/s from my laptop to the server over the tunnel. Seems awfully slow for an ASA5505.
Any ideas on how I can trouble shoot this ?
- I tried reducing the MTU on the ASA device Outside interface (frmo 1500 to 1300) but it doesn't seem to have any effect.
- I am pretty sure the Cisco VPN client is using an MTU of 1300 because I used the Cisco SetMTU utility.
- I have the ASA interfaces set to auto/auto.
I generally use ASDM to administer the device, but I go into CLI when I have to.
I've asked an experienced system administrator to help me out but he doesn't have any other ideas. I can engage him if there are some advanced settings I need to change.
Are there any other tests I can do to narrow down where the problem might be?
Is a packet trace with wireshark my only option at this point?
Do you have any thoughts on what specific settings I should be looking at?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...