We have been facing a Tunnel throughput issue on our one of the GRE over IPSec tunnel. Actually the internet bandwidth at site A is 25mbps and at site B is 8mbps.. still when the user performs a throughput test it never goes beyond 1.8 - 2 mbps. When he does the same test without the VPN he gets a handsome 7-8mbps download speed. These tunnels are created with the LAN IP's as the source and destination (vice versa on both the routers).
ip address 10.74.252.42 255.255.255.252
keepalive 5 3
tunnel source 10.72.16.254
tunnel destination 10.74.36.100
crypto map vpn
description ***Tunnel to Alpharetta***
ip address 10.74.252.41 255.255.255.252
ip route-cache flow
keepalive 10 3
tunnel source 10.74.36.100
tunnel destination 10.72.16.254
crypto map vpn
Please let me know the possible reasons and/or how to troubleshoot it further. I will provide further information as per your requests.
It's the issue of Tunnels fragmenting the packets which go above its ip mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on the encryptino you use. So the total packet size would come down roughly 1400bytes which means your actual data(payload) will be 1360bytes. As you can see thats a signifcant drop in terms of throughput
You can see the fragemenatation issue by typing the command " sh ip traffic | i frag". That should give you a good hint of how many packets are getting fragemented.
The way to counter this is to set the ip mtu on the tunnel interface to 1400bytes. This is the recommended one if you will . you can lower if you want as well.you can combine it with the ip tcp adjust-mss"
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...