11-04-2013 02:43 AM
One of our customer has a Cisco ASA 5510.
We have successfully created a IPSec tunnel and traffic flows both ways, but when trying to transfer a file, the speed caps at ~300KB/s, every 4-5 packets is dropped and the latency goes from ~3ms to 90ms.
Both locations has a 100/100Mbit/s access.
Any good ideas? 
11-04-2013 06:24 AM
The VPN is stable, but reducing the value to 1420 did not help
11-04-2013 06:53 AM
Have you tried to enable "Adjust TCP MSS" on the untrust interface of the PA. You will find it under the advanced option on the interface.
11-04-2013 08:31 AM
Here are a couple of options:
a) If the "Adjust TCP MSS" Option, did not work, can you verify what Encryption Standards are being used?
Group 5 ( Asymmetric Key Encryption ) and AES ( Symmetric key Encryption ) Standards are more CPU extensive than Group-2 or 3DES. Does the performance improve with Group 2 and 3DES?
b) Slowness of Transfers across VPN tunnels are usually seen when the ESP packets are either fragmented, or when the packets themselves come out of sequence before they are being encrypted. ( the firewall performs checks for the TCP anomolies before it can encrypt these packets in the ESP headers ). Please check for any asymmetric routing issues.
c) Check if there is any QoS applied for the tunnel traffic that might be rate limiting the tunneled traffic.
d) Applications like SMB and FTP do not get offloaded to the Hardware offloading chip, and all the packets are subjected to signature checks in the dataplane chips ( for any application shifts). If the client and the server are trusted entities, we can disable server response inspection for the rule permitting this traffic:
Select 'Options' at the far right of the Security policy & check the option for 'Disable Server Response Inspection'. Commit & attempt your download tests. (Though you could probably give this option a test regardless & compare performance)
e) If the performance is still not that great, an alternative to point 'd' is to create a custom app for the SMB and / or FTP traffic, and use it under an app override. With this setting, we bypass the signature check for this traffic, and hence can expect better results. Refer to the below doc for configuring Application override for certain traffic.
https://live.paloaltonetworks.com/docs/DOC-1071
Hope that helps.
BR,
Karthik RP
11-05-2013 03:06 AM
Tried that, no impact
11-05-2013 03:09 AM
a) No luck with the "Adjust TCP MSS" Option, Running Group 2 and 3DES
b) I'll look for asymmetrical routes, but have not been able to see any so far....
c) no QoS applied
d) Inspection on this traffic was already off
e) I'll try this and see if it helps
Thanks for all suggestions so far
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
