Slow transferspeed over IPSec against ASA5510

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Slow transferspeed over IPSec against ASA5510

L1 Bithead

One of our customer has a Cisco ASA 5510.

We have successfully created a IPSec tunnel and traffic flows both ways, but when trying to transfer a file, the speed caps at ~300KB/s, every 4-5 packets is dropped and the latency goes from ~3ms to 90ms.

Both locations has a 100/100Mbit/s access.

Any good ideas? Smiley Happy

7 REPLIES 7

L4 Transporter

Hello,

If the vpn is stable, try to reduce the TCP MSS (value like 1420 should be OK) and test again...

Regards,

HA

The VPN is stable, but reducing the value to 1420 did not help

L4 Transporter

What veriosn of PAN do You have?

Some people reported on this forum slownest on 5.0.6 and GlobalProtect. Please try to find this topic

Have you tried to enable "Adjust TCP MSS" on the untrust interface of the PA. You will find it under the advanced option on the interface.

L5 Sessionator

Here are a couple of options:

a) If the "Adjust TCP MSS" Option, did not work, can you verify what Encryption Standards are being used?

Group 5 ( Asymmetric Key Encryption ) and AES ( Symmetric key Encryption ) Standards are more CPU extensive than Group-2 or 3DES. Does the performance improve with Group 2 and 3DES?

b) Slowness of Transfers across VPN tunnels are usually seen when the ESP packets are either fragmented, or when the packets themselves come out of sequence before they are being encrypted. ( the firewall performs checks for the TCP anomolies before it can encrypt these packets in the ESP headers ). Please check for any asymmetric routing issues.

c) Check if there is any QoS applied for the tunnel traffic that might be rate limiting the tunneled traffic.

d) Applications like SMB and FTP do not get offloaded to the Hardware offloading chip, and all the packets are subjected to signature checks in the dataplane chips ( for any application shifts). If the client and the server are trusted entities, we can disable server response inspection for the rule permitting this traffic:

Select 'Options' at the far right of the  Security policy & check the option for 'Disable Server Response Inspection'. Commit & attempt your download tests. (Though you could probably give this option a test regardless & compare performance)


e) If the performance is still not that great, an alternative to point 'd' is to create a custom app for the SMB and / or FTP traffic, and use it under an app override. With this setting, we bypass the signature check for this traffic, and hence can expect better results. Refer to the below doc for configuring Application override for certain traffic.

https://live.paloaltonetworks.com/docs/DOC-1071

Hope that helps.

BR,

Karthik RP

Tried that, no impact

a) No luck with the "Adjust TCP MSS" Option, Running Group 2 and 3DES

b) I'll look for asymmetrical routes, but have not been able to see any so far....

c) no QoS applied

d) Inspection on this traffic was already off

e) I'll try this and see if it helps Smiley Happy

Thanks for all suggestions so far Smiley Happy

  • 6912 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!