CISCO IPSEC VPN - Very Slow - MTU ISSUE - ASA to 877 router

I have just created a site to site VPN between one of our remote site and the ASA FW in the main site. But the VPN is very slow. The remote site is on a ADSL+ connection and has 2 mb average download and upload speed. All other remote sites with similar ADSL connections are working fine.

This is my first VPN and 877 configuration. So please some one help me to get this issue sorted. Please find the remote site config given below

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname VPN-RT-01
no logging buffered
enable secret 5 ********************
no aaa new-model
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool CLIENT
   import all
   lease 2


crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********** address *********
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to  *********
 set peer **********
 set transform-set ESP-3DES-SHA1
 match address 102
 log config
vlan 10
 name Data
ip tcp mss 1400
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
 switchport mode trunk
 duplex full
 speed 100
interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly
 crypto ipsec df-bit clear
interface Dialer0
 ip address negotiated
 ip mtu 1438
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname C*****
 ppp chap password 0 *******
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
ip forward-protocol nd
ip route Dialer0
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip
access-list 101 permit ip any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 101
line con 0
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input telnet
scheduler max-task-time 5000

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From Router to Router (outside interface to outside Interface) that are participating in the VPN - what is the latency across the path?   If latency is high - your issue may be unrelated to anything VPN.

What is the MTU on the DSL?   May want to bring down your Ethernet on the Cisco Router outside interface to match it - and ensure the MSS ADJUST setting that is on your Dialer interface has a setting smaller than the MTU on the outside.

(MTU on DSL ROUTER) - 56 bytes - 28 bytes = MSS ADJUST setting to use on the ethernet interface (on the inside).

Having a reduced MSS will allow the TCP segments from INSIDE your remote office to allow for the VPN router to apply GRE + IPSec overhead without buffering.

ciscojoseAuthor Commented:
Hi Many Thanks for your quick reply.

The latency to the hosts such as the file server and the domain server are below 50 msat all the times. But there are severe packet drops in the ping tests, at leat one in every 10 packets.

The MTU set on the ASA is 1500 and No specific MTU configuration on the other similar remote sites with similar ADSL connection and router.

"May want to bring down your Ethernet on the Cisco Router outside interface to match it"? Can you please explin.
MTU in most DSL are 1492.   With MTU at 1500 on outside interface causes the DSL router to drop frames larger.

In the router/CPE equipment if drop the MTU to say .... 1480.... then will ensure that the segments/frames are less then the DSL requires (always).

In using the adjust-mss command (as applied to your dialer interface), on the inside ethernet interface facing your users.... you can ensure that the frames are always segmented by the end nodes (the workstations/servers) and they are small enough (say ip tcp adjust-mss 1360) such that the GRE/IP overhead will not increase the MTU of the outside frame beyond that of the 1492 required by the DSL provider.

Many DSL routers, and Linksys/Dlink routers, etc... have the MTU set smaller out of the box on purpose for this reason.

You can do an advanced PING in enable mode in the Cisco.  Source from the inside interface - provide a destination on other end of your GRE/IPsec tunnel.   When setting options in the PING - ensure the DF bit is set.   See if those pings even make it through.  If they drop - you will want to reduce MTU/add the MSS command.

If the performance of ICMP packets at 64 byte size are dropping.....  you are hitting a buffering issue of some kind... perhaps the DSL modem or ISP is dirty.

There are websites out there (speedtest, speakeasy and others) that you can verify your line quality.   Check tools section for much of this.

As well - if you have two PC on either side to work with...

There is a very NICE tool called iperf.exe that you can run in windows / compile in Linux.... this allows to test throughput, adjusting your TCP Window and UDP buffer sizes....

With the right window size configured (using the bandwidth / delay calculators) you should be able to max your throughput across what the ISP says they offer you.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Also FYI the 877 does not have much CPU power.   While transmitting traffic have you checked the CPU usage on the 877?  "show proc cpu"  That could be the limiting factor.  If you want to do more than 1-3mbit of traffic I would replace the 877 with something else.   Put the 877 in bridge mode and put an ASA 5505 behind it to terminate the VPN tunnel.
ciscojoseAuthor Commented:
The issue was basically with the ADSL as the interface was flapping. It's been sorted and it is working fine now.

Eventhough the above solutions really helped me to improve the performance
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.