Solved

Cisco ASA 5505 - Slow VPN Tunnels

Posted on 2013-11-19
11
3,641 Views
Last Modified: 2014-06-06
I have a L2L tunnel between (2) Cisco ASA 5505's.  They are running ios v8.25 and the VPN attributes are:

3DES-MD5-HMAC, Group2, Lifetime 86400, tcp-mss default of 1380

Both systems speedtest out correctly.

Everything negotiates fine and I get a Main Mode tunnel that never drops or has issues...

I have a 50 MB Syncronous connection on one side and a 10MB Syncronous connection on the other side.  When I do speed testing with IPERF in server mode on one side, client mode on another, I get disappointing results and I'm not sure if I'm just measuring in the wrong units (Mbit vs mbit, Meg/s vs M/s) or if this is VASTLY underperforming.  Here's what I do, and here's what I get:

On the client side, I connect IPERF using port 20000 with command:
iperf -c [server.ip.goes.here] -L 20000 -d -f m

On the server side, I run default:
iperf -s

my results are:
On Client:

Client connecting to [server IP], TCP port 5001
TCP window size: 0.06 MByte (default)
------------------------------------------------------------
[404] local [client.ip] port 60701 connected with [server IP] port 5001
[420] local [client.ip] port 20000 connected with [server IP] port 5906
[ ID] Interval       Transfer     Bandwidth
[404]  0.0-10.1 sec  5.66 MBytes  4.70 Mbits/sec
[420]  0.0- 9.9 sec  28.9 Mbits  2.91 Mbits/sec

On Server:

Client connecting to [Client.IP], TCP port 20000
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  5] local [server IP] port 59065 connected with [Client.IP] port 20000
[  4]  0.0-10.0 sec  5.66 MBytes  4.75 Mbits/sec
[  5]  0.0-10.0 sec  4.00 GBytes  3.43 Gbits/sec

Am I getting what you'd expect when the remote end is a 10MB internet connection?  Or is this bad throughput?  I had hoped for more.  I tried dropping 3DES to single DES and the results were almost identical (ever so slightly better, not a huge difference at all).

Thoughts ?
0
Comment
Question by:jkeegan123
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 24

Assisted Solution

by:diverseit
diverseit earned 250 total points
Comment Utility
Hi jkeegan123,

Reducing the MTU size can help eliminate some connectivity problems occurring at the protocol level. Here is an article that explains how to get the correct MTU value: http://www.experts-exchange.com/A_12615-Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html

Also, I'd upgrade the firmware if possible.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
And also update to the latest version. This can also cause performance increase!
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
Comment Utility
I would suggest leaving the MTU size alone, but setting the maximum segment size to an appropriate value.  You can find the appropriate value empirically by changing the setting and then running your speed test.

default maximum segment size is 1380 on the ASA.  You can try higher and lower values to see how you're doing...

sysopt connection tcpmss <bytes>
0
 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
It is at 1380,I adjusted it upwards and it got worse, downwards did not have much effect. I also changed the vpn df bit setting with no results (from copy to delete, I'm operating from memory), and it's currently still at the changed setting, and that was without negative or positive Effect.

By the way, I am testing throughput with iperf with one setting as client and one running as server, and the results are consistently between 3 and 5M.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
You only see the poor results at a certain time of day?

Is this a production network, with other network traffic on the ASAs?

If so, it sounds like network congestion.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
No all the time, even off hours.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
You might also try performing multiple simultaneous transfers.

Also, have you performed speed tests at both sites to verify you're getting the promised bandwidth?
0
 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
Bandwidth confirmed with speed test. Net
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
0
 
LVL 5

Assisted Solution

by:jkeegan123
jkeegan123 earned 0 total points
Comment Utility
This turns out that IPERF was not reading correctly during testing of bandwidth.  No matter what we did, the same rate was obtained.  Once we tested with something else, we realized that IPERF was the problem.  The VPN was still slow, but not as slow as we thought, and the things that we were doing to fix it WERE having an effect (usually positive) on the speed of the link.

Bandwidth Testing:  We used PCAUSA Test TCP (PCATTCP) on both ends, similar to the way that IPERF is used.  This utility was much easier to understand, and we actually received the results that we were trying so hard to get from IPERF.  It can be found at:  http://www.pcausa.com/Utilities/utilities.htm

In the end, we ended up moving the VPN to PEPLINK hardware (www.peplink.com) and making use of their aggregated VPN service.  On both sides of the VPN, we added an additional broadband provider to the PEPLINK BALANCE 210 appliance.  These can host up to (2) ISP's, but they have appliances that will host more.  Once we installed the multiple ISP's, we setup a SPEED FUSION VPN, which is Peplink's proprietary AES-256 strength VPN that can aggregate up to 30MB on the Balance 210 appliance.  We actually got 20MB on a VPN where we were averaging 3-5MB on a Cisco ASA.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
Comment Utility
summary in my post is valid
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now