https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40690#M29881 <HTML><HEAD></HEAD><BODY><P>a) No luck with the "Adjust TCP MSS" Option, Running Group 2 and 3DES</P><P>b) I'll look for asymmetrical routes, but have not been able to see any so far....</P><P>c) no QoS applied</P><P>d) Inspection on this traffic was already off</P><P>e) I'll try this and see if it helps <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Thanks for all suggestions so far <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 05 Nov 2013 11:09:10 GMT TJ 2013-11-05T11:09:10Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40683#M29874 <HTML><HEAD></HEAD><BODY><P>One of our customer has a Cisco ASA 5510.</P><P>We have successfully created a IPSec tunnel and traffic flows both ways, but when trying to transfer a file, the speed caps at ~300KB/s, every 4-5 packets is dropped and the latency goes from ~3ms to 90ms.</P><P>Both locations has a 100/100Mbit/s access.</P><P></P><P>Any good ideas? <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Mon, 04 Nov 2013 10:43:26 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40683#M29874 TJ 2013-11-04T10:43:26Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40684#M29875 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>If the vpn is stable, try to reduce the TCP MSS (value like 1420 should be OK) and test again...</P><P></P><P>Regards,</P><P></P><P>HA</P></BODY></HTML> Mon, 04 Nov 2013 14:16:11 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40684#M29875 licenselu 2013-11-04T14:16:11Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40685#M29876 <HTML><HEAD></HEAD><BODY><P>The VPN is stable, but reducing the value to 1420 did not help</P></BODY></HTML> Mon, 04 Nov 2013 14:24:36 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40685#M29876 TJ 2013-11-04T14:24:36Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40686#M29877 <HTML><HEAD></HEAD><BODY><P>What veriosn of PAN do You have?</P><P></P><P>Some people reported on this forum slownest on 5.0.6 and GlobalProtect. Please try to find this topic</P></BODY></HTML> Mon, 04 Nov 2013 14:27:12 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40686#M29877 _slv_ 2013-11-04T14:27:12Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40687#M29878 <HTML><HEAD></HEAD><BODY><P>Have you tried to enable "Adjust TCP MSS" on the untrust interface of the PA. You will find it under the advanced option on the interface.</P></BODY></HTML> Mon, 04 Nov 2013 14:53:39 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40687#M29878 shasnain 2013-11-04T14:53:39Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40688#M29879 <HTML><HEAD></HEAD><BODY><P>Here are a couple of options:</P><P></P><P>a) If the "Adjust TCP MSS" Option, did not work, can you verify what Encryption Standards are being used?</P><P>Group 5 ( Asymmetric Key Encryption ) and AES ( Symmetric key Encryption ) Standards are more CPU extensive than Group-2 or 3DES. Does the performance improve with Group 2 and 3DES?</P><P></P><P>b) Slowness of Transfers across VPN tunnels are usually seen when the ESP packets are either fragmented, or when the packets themselves come out of sequence before they are being encrypted. ( the firewall performs checks for the TCP anomolies before it can encrypt these packets in the ESP headers ). Please check for any asymmetric routing issues.</P><P></P><P>c) Check if there is any QoS applied for the tunnel traffic that might be rate limiting the tunneled traffic.</P><P></P><P>d) Applications like SMB and FTP do not get offloaded to the Hardware offloading chip, and all the packets are subjected to signature checks in the dataplane chips ( for any application shifts). If the client and the server are trusted entities, we can disable server response inspection for the rule permitting this traffic:</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Select 'Options' at the far right of the&nbsp; Security policy &amp; check the option for 'Disable Server Response Inspection'. Commit &amp; attempt your download tests. (Though you could probably give this option a test regardless &amp; compare performance)</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><BR />e) If the performance is still not that great, an alternative to point 'd' is to create a custom app for the SMB and / or FTP traffic, and use it under an app override. With this setting, we bypass the signature check for this traffic, and hence can expect better results. Refer to the below doc for configuring Application override for certain traffic.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1071">https://live.paloaltonetworks.com/docs/DOC-1071</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Hope that helps.</P><P></P><P>BR,</P><P>Karthik RP</P></BODY></HTML> Mon, 04 Nov 2013 16:31:01 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40688#M29879 kprakash 2013-11-04T16:31:01Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40689#M29880 <HTML><HEAD></HEAD><BODY><P>Tried that, no impact</P></BODY></HTML> Tue, 05 Nov 2013 11:06:00 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40689#M29880 TJ 2013-11-05T11:06:00Z https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40690#M29881 <HTML><HEAD></HEAD><BODY><P>a) No luck with the "Adjust TCP MSS" Option, Running Group 2 and 3DES</P><P>b) I'll look for asymmetrical routes, but have not been able to see any so far....</P><P>c) no QoS applied</P><P>d) Inspection on this traffic was already off</P><P>e) I'll try this and see if it helps <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>Thanks for all suggestions so far <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 05 Nov 2013 11:09:10 GMT https://live.paloaltonetworks.com/t5/general-topics/slow-transferspeed-over-ipsec-against-asa5510/m-p/40690#M29881 TJ 2013-11-05T11:09:10Z