ciscojose
asked on
CISCO IPSEC VPN - Very Slow - MTU ISSUE - ASA to 877 router
I have just created a site to site VPN between one of our remote site and the ASA FW in the main site. But the VPN is very slow. The remote site is on a ADSL+ connection and has 2 mb average download and upload speed. All other remote sites with similar ADSL connections are working fine.
This is my first VPN and 877 configuration. So please some one help me to get this issue sorted. Please find the remote site config given below
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-RT-01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ********************
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.25.1.1 172.25.1.30
!
ip dhcp pool CLIENT
import all
network 172.25.1.0 255.255.255.0
default-router 172.25.1.1
dns-server 192.168.20.1 192.168.20.2
lease 2
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address *********
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to *********
set peer **********
set transform-set ESP-3DES-SHA1
match address 102
!
archive
log config
hidekeys
!
!
vlan 10
name Data
!
ip tcp mss 1400
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport mode trunk
duplex full
speed 100
!
interface Vlan1
ip address 172.25.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec df-bit clear
!
interface Dialer0
ip address negotiated
ip mtu 1438
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname C*****@hg28.btclick.com
ppp chap password 0 *******
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.25.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 172.25.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler max-task-time 5000
end
This is my first VPN and 877 configuration. So please some one help me to get this issue sorted. Please find the remote site config given below
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN-RT-01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ********************
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.25.1.1 172.25.1.30
!
ip dhcp pool CLIENT
import all
network 172.25.1.0 255.255.255.0
default-router 172.25.1.1
dns-server 192.168.20.1 192.168.20.2
lease 2
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address *********
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to *********
set peer **********
set transform-set ESP-3DES-SHA1
match address 102
!
archive
log config
hidekeys
!
!
vlan 10
name Data
!
ip tcp mss 1400
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport mode trunk
duplex full
speed 100
!
interface Vlan1
ip address 172.25.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec df-bit clear
!
interface Dialer0
ip address negotiated
ip mtu 1438
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1400
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname C*****@hg28.btclick.com
ppp chap password 0 *******
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.25.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 172.25.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.25.1.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler max-task-time 5000
end
ASKER
Hi Many Thanks for your quick reply.
The latency to the hosts such as the file server and the domain server are below 50 msat all the times. But there are severe packet drops in the ping tests, at leat one in every 10 packets.
The MTU set on the ASA is 1500 and No specific MTU configuration on the other similar remote sites with similar ADSL connection and router.
"May want to bring down your Ethernet on the Cisco Router outside interface to match it"? Can you please explin.
The latency to the hosts such as the file server and the domain server are below 50 msat all the times. But there are severe packet drops in the ping tests, at leat one in every 10 packets.
The MTU set on the ASA is 1500 and No specific MTU configuration on the other similar remote sites with similar ADSL connection and router.
"May want to bring down your Ethernet on the Cisco Router outside interface to match it"? Can you please explin.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue was basically with the ADSL as the interface was flapping. It's been sorted and it is working fine now.
Eventhough the above solutions really helped me to improve the performance
Eventhough the above solutions really helped me to improve the performance
What is the MTU on the DSL? May want to bring down your Ethernet on the Cisco Router outside interface to match it - and ensure the MSS ADJUST setting that is on your Dialer interface has a setting smaller than the MTU on the outside.
(MTU on DSL ROUTER) - 56 bytes - 28 bytes = MSS ADJUST setting to use on the ethernet interface (on the inside).
Having a reduced MSS will allow the TCP segments from INSIDE your remote office to allow for the VPN router to apply GRE + IPSec overhead without buffering.
-D