Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7298
Views
0
Helpful
6
Replies

Slow transfer speed over VPN connection

t3ntman0619
Level 1
Level 1

‎10-27-2013 04:22 PM

Hello,

Recently I setup an SSL VPN to connect to my parent's home network.  I have some computers there, and want to try to transfer files between my computer and the one at my parent's.  Over the VPN connection, I only get 128kb/s.  On both ends, they are 15Mbps connections, and can support internal copies of 4 megs/s.  I feel like I should get a better speed than that.  I looked around, and people suggested changing the MTU.  I have changed the MTU around, and not noticed any increase in the network speed over the VPN.  Currently the MTU is at 1500.  Below is a copy of my running config.  Any thing I'm overlooking, or is this speed normal?  Sorry, still relatively new to the ASA 5505.

ASA Version 8.2(5)

!

hostname HardmanASA

enable password #####

passwd ###### encrypted

names

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.250.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

access-list nat_0 extended permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0

access-list split_tunnel standard permit 192.168.250.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPN_Pool 192.168.251.100-192.168.251.101 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nat_0

nat (inside) 10 192.168.250.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.250.0 255.255.255.0 inside

http 192.168.251.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.250.0 255.255.255.0 inside

ssh 192.168.251.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.250.20-192.168.250.50 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

username ###### password ###### encrypted

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPN_Pool

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74fc2287573841a837e97887840a2d91

: end

Labels:
0 Helpful
6 Replies 6

andduart
Level 1
Level 1

‎10-27-2013 07:59 PM

Hi,

In this case should be necessary to enable Dtls, Dtls uses udp, avoids latency and increases bandwitdth. If Udp is blocked the Ssl connection will fallback to regular TLS. You can enable it in Asdm by ckecking it in the interface

Configuration/ remote access / network client access/ ssl connection profile

Regards,




Sent from Cisco Technical Support iPhone App

0 Helpful

t3ntman0619
Level 1
Level 1
In response to andduart

‎10-27-2013 08:27 PM

I just enabled DTLS on both the inside and outside interfaces with no noticeable changes in transfer speed.  Any other suggestions?

0 Helpful

andduart
Level 1
Level 1

‎10-27-2013 09:30 PM

Hi,

Another option is the use of the compression command, this is usually enabled by default but maybe you can enter it due to is not showed in the running config, the command is compression svc.

Note: The command helps when we have low bandwitdh connections, the command reduces the size if the packets, for broadband connections this can decrease regular performance

Regards,

Sent from Cisco Technical Support iPhone App

0 Helpful

t3ntman0619
Level 1
Level 1
In response to andduart

‎10-28-2013 05:19 PM

Thanks for the suggestion.  After trying the "compression svc" command, I didn't notice any speed increase unfortunately.

0 Helpful

leppikallio
Level 1
Level 1

‎10-27-2013 11:38 PM

Hi,

This may be the most stupid question ever but have you verified the connection speeds from your parents network behind the ASA5505 to Internet? Also a more up-to-date version of ASA software wouldn't hurt either.

0 Helpful

t3ntman0619
Level 1
Level 1
In response to leppikallio

‎10-28-2013 05:20 PM

I have verified that each network has 15Mbps via speedtest.net.  Don't you have to have a Cisco premium license to received upgrades?  I just bought this on Amazon, so if I can get free upgrades, I'll definitely go that route.

0 Helpful
Customers Also Viewed These Support Documents