Cisco ASA 5505 - Slow VPN Tunnels

Posted on 2013-11-19
Last Modified: 2014-06-06
I have a L2L tunnel between (2) Cisco ASA 5505's.  They are running ios v8.25 and the VPN attributes are:

3DES-MD5-HMAC, Group2, Lifetime 86400, tcp-mss default of 1380

Both systems speedtest out correctly.

Everything negotiates fine and I get a Main Mode tunnel that never drops or has issues...

I have a 50 MB Syncronous connection on one side and a 10MB Syncronous connection on the other side.  When I do speed testing with IPERF in server mode on one side, client mode on another, I get disappointing results and I'm not sure if I'm just measuring in the wrong units (Mbit vs mbit, Meg/s vs M/s) or if this is VASTLY underperforming.  Here's what I do, and here's what I get:

On the client side, I connect IPERF using port 20000 with command:
iperf -c [] -L 20000 -d -f m

On the server side, I run default:
iperf -s

my results are:
On Client:

Client connecting to [server IP], TCP port 5001
TCP window size: 0.06 MByte (default)
[404] local [client.ip] port 60701 connected with [server IP] port 5001
[420] local [client.ip] port 20000 connected with [server IP] port 5906
[ ID] Interval       Transfer     Bandwidth
[404]  0.0-10.1 sec  5.66 MBytes  4.70 Mbits/sec
[420]  0.0- 9.9 sec  28.9 Mbits  2.91 Mbits/sec

On Server:

Client connecting to [Client.IP], TCP port 20000
TCP window size: 64.0 KByte (default)
[  5] local [server IP] port 59065 connected with [Client.IP] port 20000
[  4]  0.0-10.0 sec  5.66 MBytes  4.75 Mbits/sec
[  5]  0.0-10.0 sec  4.00 GBytes  3.43 Gbits/sec

Am I getting what you'd expect when the remote end is a 10MB internet connection?  Or is this bad throughput?  I had hoped for more.  I tried dropping 3DES to single DES and the results were almost identical (ever so slightly better, not a huge difference at all).

Thoughts ?
Question by:jkeegan123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 250 total points
ID: 39661789
Hi jkeegan123,

Reducing the MTU size can help eliminate some connectivity problems occurring at the protocol level. Here is an article that explains how to get the correct MTU value:

Also, I'd upgrade the firmware if possible.
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39663932
And also update to the latest version. This can also cause performance increase!
LVL 28

Accepted Solution

asavener earned 250 total points
ID: 39669531
I would suggest leaving the MTU size alone, but setting the maximum segment size to an appropriate value.  You can find the appropriate value empirically by changing the setting and then running your speed test.

default maximum segment size is 1380 on the ASA.  You can try higher and lower values to see how you're doing...

sysopt connection tcpmss <bytes>
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 39671368
It is at 1380,I adjusted it upwards and it got worse, downwards did not have much effect. I also changed the vpn df bit setting with no results (from copy to delete, I'm operating from memory), and it's currently still at the changed setting, and that was without negative or positive Effect.

By the way, I am testing throughput with iperf with one setting as client and one running as server, and the results are consistently between 3 and 5M.
LVL 28

Expert Comment

ID: 39671465
You only see the poor results at a certain time of day?

Is this a production network, with other network traffic on the ASAs?

If so, it sounds like network congestion.

Author Comment

ID: 39671472
No all the time, even off hours.
LVL 28

Expert Comment

ID: 39671696
You might also try performing multiple simultaneous transfers.

Also, have you performed speed tests at both sites to verify you're getting the promised bandwidth?

Author Comment

ID: 39671712
Bandwidth confirmed with speed test. Net
LVL 25

Expert Comment

by:Diverse IT
ID: 39760165

Assisted Solution

jkeegan123 earned 0 total points
ID: 39800671
This turns out that IPERF was not reading correctly during testing of bandwidth.  No matter what we did, the same rate was obtained.  Once we tested with something else, we realized that IPERF was the problem.  The VPN was still slow, but not as slow as we thought, and the things that we were doing to fix it WERE having an effect (usually positive) on the speed of the link.

Bandwidth Testing:  We used PCAUSA Test TCP (PCATTCP) on both ends, similar to the way that IPERF is used.  This utility was much easier to understand, and we actually received the results that we were trying so hard to get from IPERF.  It can be found at:

In the end, we ended up moving the VPN to PEPLINK hardware ( and making use of their aggregated VPN service.  On both sides of the VPN, we added an additional broadband provider to the PEPLINK BALANCE 210 appliance.  These can host up to (2) ISP's, but they have appliances that will host more.  Once we installed the multiple ISP's, we setup a SPEED FUSION VPN, which is Peplink's proprietary AES-256 strength VPN that can aggregate up to 30MB on the Balance 210 appliance.  We actually got 20MB on a VPN where we were averaging 3-5MB on a Cisco ASA.

Author Closing Comment

ID: 39876301
summary in my post is valid

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question