Cisco ASA 5505 - Slow VPN Tunnels
I have a L2L tunnel between (2) Cisco ASA 5505's. They are running ios v8.25 and the VPN attributes are:
3DES-MD5-HMAC, Group2, Lifetime 86400, tcp-mss default of 1380
Both systems speedtest out correctly.
Everything negotiates fine and I get a Main Mode tunnel that never drops or has issues...
I have a 50 MB Syncronous connection on one side and a 10MB Syncronous connection on the other side. When I do speed testing with IPERF in server mode on one side, client mode on another, I get disappointing results and I'm not sure if I'm just measuring in the wrong units (Mbit vs mbit, Meg/s vs M/s) or if this is VASTLY underperforming. Here's what I do, and here's what I get:
On the client side, I connect IPERF using port 20000 with command:
iperf -c [server.ip.goes.here] -L 20000 -d -f m
On the server side, I run default:
iperf -s
my results are:
On Client:
Client connecting to [server IP], TCP port 5001
TCP window size: 0.06 MByte (default)
--------------------------
[404] local [client.ip] port 60701 connected with [server IP] port 5001
[420] local [client.ip] port 20000 connected with [server IP] port 5906
[ ID] Interval Transfer Bandwidth
[404] 0.0-10.1 sec 5.66 MBytes 4.70 Mbits/sec
[420] 0.0- 9.9 sec 28.9 Mbits 2.91 Mbits/sec
On Server:
Client connecting to [Client.IP], TCP port 20000
TCP window size: 64.0 KByte (default)
--------------------------
[ 5] local [server IP] port 59065 connected with [Client.IP] port 20000
[ 4] 0.0-10.0 sec 5.66 MBytes 4.75 Mbits/sec
[ 5] 0.0-10.0 sec 4.00 GBytes 3.43 Gbits/sec
Am I getting what you'd expect when the remote end is a 10MB internet connection? Or is this bad throughput? I had hoped for more. I tried dropping 3DES to single DES and the results were almost identical (ever so slightly better, not a huge difference at all).
Thoughts ?
3DES-MD5-HMAC, Group2, Lifetime 86400, tcp-mss default of 1380
Both systems speedtest out correctly.
Everything negotiates fine and I get a Main Mode tunnel that never drops or has issues...
I have a 50 MB Syncronous connection on one side and a 10MB Syncronous connection on the other side. When I do speed testing with IPERF in server mode on one side, client mode on another, I get disappointing results and I'm not sure if I'm just measuring in the wrong units (Mbit vs mbit, Meg/s vs M/s) or if this is VASTLY underperforming. Here's what I do, and here's what I get:
On the client side, I connect IPERF using port 20000 with command:
iperf -c [server.ip.goes.here] -L 20000 -d -f m
On the server side, I run default:
iperf -s
my results are:
On Client:
Client connecting to [server IP], TCP port 5001
TCP window size: 0.06 MByte (default)
--------------------------
[404] local [client.ip] port 60701 connected with [server IP] port 5001
[420] local [client.ip] port 20000 connected with [server IP] port 5906
[ ID] Interval Transfer Bandwidth
[404] 0.0-10.1 sec 5.66 MBytes 4.70 Mbits/sec
[420] 0.0- 9.9 sec 28.9 Mbits 2.91 Mbits/sec
On Server:
Client connecting to [Client.IP], TCP port 20000
TCP window size: 64.0 KByte (default)
--------------------------
[ 5] local [server IP] port 59065 connected with [Client.IP] port 20000
[ 4] 0.0-10.0 sec 5.66 MBytes 4.75 Mbits/sec
[ 5] 0.0-10.0 sec 4.00 GBytes 3.43 Gbits/sec
Am I getting what you'd expect when the remote end is a 10MB internet connection? Or is this bad throughput? I had hoped for more. I tried dropping 3DES to single DES and the results were almost identical (ever so slightly better, not a huge difference at all).
Thoughts ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Henk van Achterberg
And also update to the latest version. This can also cause performance increase!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is at 1380,I adjusted it upwards and it got worse, downwards did not have much effect. I also changed the vpn df bit setting with no results (from copy to delete, I'm operating from memory), and it's currently still at the changed setting, and that was without negative or positive Effect.
By the way, I am testing throughput with iperf with one setting as client and one running as server, and the results are consistently between 3 and 5M.
By the way, I am testing throughput with iperf with one setting as client and one running as server, and the results are consistently between 3 and 5M.
You only see the poor results at a certain time of day?
Is this a production network, with other network traffic on the ASAs?
If so, it sounds like network congestion.
Is this a production network, with other network traffic on the ASAs?
If so, it sounds like network congestion.
ASKER
No all the time, even off hours.
You might also try performing multiple simultaneous transfers.
Also, have you performed speed tests at both sites to verify you're getting the promised bandwidth?
Also, have you performed speed tests at both sites to verify you're getting the promised bandwidth?
ASKER
Bandwidth confirmed with speed test. Net
Did you change try changing the MTU here: https://www.experts-exchange.com/A_12615-Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html
(http:#a39661789)
(http:#a39661789)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
summary in my post is valid