Cisco VPN :: 5510 - Slow Throughput On L2L IPsec Tunnel
Jan 8, 2013
I am experiencing slow throughput on a L2L IPsec tunnel that we have between one of our offices on the west coast (WC) US and another on the east coast (EC) US. The tunnel endpoint on the WC resides on a 5510 and a 5545x on the EC. The DIA circuit speed on the WC is 45 Mbps and 200 Mbps on the EC. The throughput of this IPsec tunnel is maxing out at approx. 4 – 5 Mbps. The utilization of the DIA circuits at both offices is under 5% when running various FTP test transfers. Both devices have low memory and CPU utilization.
We have a 2nd office on the EC (45 Mbps DIA) which I built a tunnel on a 5510 with the WC office and it is experiencing the same slow throughput. In covering all my bases we have a colocation facility on the WC and in building a tunnel between the 2 WC offices I WAS seeing close to full line rate speeds over the tunnel. Additionally, I built a tunnel between the 2 EC offices and I saw full line rate speeds. With the physical distance between the WC & EC offices I would expect some loss in throughput speeds but I would not expect it to drop as low as 4 – 5 Mbps. In thinking something may be up with the 5510 in our WC office we shipped a 5505 to the WC office and we built the same IPsec tunnels on it and it is experiencing the same.
In working with our support vendor to try and solve the WC <-> EC throughput issue they had me change the MTU, TCP mss, DF-bit, types of encryption/hash on the IPsec tunnel but nothing has resolved it. We are not showing fragmentation or PMTU issues on the tunnel. In contacting the ISP of our WC office they mentioned that they do not have any type or rate limiting in place. Our WC ISP had a CCIE review our configurations but nothing was found.
View 1 Replies
ADVERTISEMENT
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Jul 31, 2012
I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.
When I show SH ISAKMP command all I get are 0's straight down.
View 7 Replies
View Related
Jun 11, 2012
I working on a security solution using ASA firewall. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
View 3 Replies
View Related
Mar 29, 2012
I have an ipsec tunnel IP is changing from mythical 200.200.200.182 to 200.200.200.254. Is it possible to change the .182 ip in below config via the CLI to .254 and have the site-to-site vpn continue to work? [code]
View 1 Replies
View Related
Dec 5, 2011
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
View 3 Replies
View Related
Apr 25, 2011
I'm having an issue bringing a L2L tunnels up between my ASA 5510 and an ISPs Netscreens. I can establish the tunnels from my side by initiating traffic to the far end. The tunnels come up and stay up as long as there is traffic. Once the tunnels drop, they will not re-establish with inbound traffic. The only way to re-establish the tunnel is to send traffic outbound from our network. My ASAs are on ASA Version 7.0(8) in active/standby. [code]
View 2 Replies
View Related
Jun 8, 2011
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Apr 19, 2012
recently we had some performance issues with C2811 which caused us to do some lab testing. For testing we used also C1812. The results were quite surprising for us, as the C1812 appeared to be more efficient than C2811. Below you can see the lab scenario and results.
1. Why C2811 is performing worse than C1812?
2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)
[URL]
as presented on the small diag:
All routers had enabled onboard hw VPN modules and SEC/K9 IOS ver. Configuration was very simple and beside encryption there were also GRE tunnels configured and EIGRP process for routing between "remote LANs". Part of conf responsible for encryption:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600crypto isakmp key ......... address ......... no-xauth!crypto ipsec transform-set SHA-AES256 esp-aes 256 esp-sha-hmac
crypto map VPN 90 ipsec-isakmp set peer ......... set transform-set SHA-AES256 set pfs group5 match address .........
TEST RESULTS
Cisco 1812Cisco 2811iperf generated BW [bps]WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)500k--540k5%1M1,1M3%1,2M8%2M2,1M4%2,3M14%5M5,4M10%5,7M34%10M10,6M20%11,5M65%15M15,8M28%17M96%16M--17,2M99%25M27M48%--35M38M64%--45M48,2M72%--53M60,8M88%--59M67M94%--61M72M97%--
View 4 Replies
View Related
Dec 12, 2012
What is the c1811 isr max throughput when not running ipsec site vpn.
View 1 Replies
View Related
Jan 7, 2011
I have two NAS drives directly connected to my router. I am accessing them through my XP laptop's wireless connection. I am trying to copy a large volume of data from one to the other (28Gb).The problem I have is throughput. I am barely getting 250Kb/s from one drive to the other.Is there a way to speed this up?
View 2 Replies
View Related
Nov 14, 2011
I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
View 6 Replies
View Related
Jul 17, 2012
I recently setup our small office network using the following setup:
Cablemodem <--> router <--> 1231AP(role root bridge with wireless clients) <-> 1231AP(role non-root bridge with wireless clients)Code on both APs: 12.3(8)JEE.Office network generally has less than 3 wireless clients connected at any one time to either AP. AP's are a mere 50' apart; clients are all less than 30' from either AP; they all show excellent signal and connected at 54mbps signaling rates.
All is/has been working very well & very stable with the exception of speed. We have business class service from RR, approx 25mbps dl, 2mbps ul. Any hardwired client to the router switch ports are able to download at speeds averaging 23mbps. Any wireless client connected to either AP is never able to exceed download speeds of 5mbps. With no other wireless clients connected except my one test client, I was not able to exceed 5mbps throughput from either AP that I connected to.
I can confirm that the ethernet connection between the router and root bridge is up at 100mbps-FD and not showing any errors: [code]
Are these very slow thoughput speeds normal of this hardware combination?I did much searching/googling and found claims that by eliminating TKIP it almost doubles the actual wireless speeds our clients can obtain.
View 6 Replies
View Related
Apr 23, 2013
We've installed cisco devices accross our site in the last year or so and slowing getting on top of it now. How ever our old unmanaged kit seems to be out performing it. It's most like down to my misconfiguration which has lead me to here. Below is the details of hardware and configuration between devices. 3750 Core consisting of the following stacked. [code] I've got MRTG monitoring traffic and the throughput seems to max out 24m/s,
View 15 Replies
View Related
Feb 14, 2012
When transferring traffic between two VLANs my throughput rate seems to drop to about 1.5 - 3.0 megabits / second.
My setup is like this...
Two Nexus 5020 switches. (switch01 and switch02)
Two Nexus 2232PP fabric extender switches. (switch03 and switch04)
Two Dell R815s with Chelsio and Intel NICs. (host1 and host2)
The servers run Xenserver 6.0, but as part of testing with this I've tried installing RedHat 6.2, VMware ESX 5.0 (vsphere 5).
The issue occurs when using trunking and transferring data from one VLAN to another. Example...
VM1 is in VLAN401 with an IP address of 10.100.40.40. The VM is on Host1. VM2 is in VLAN402 with an IP address of 10.100.50.50. The VM is on Host2.
I've been using a network throughput tool called iPerf to test and I find that I can only get a throughput rate of about 3.0megabits.
If I switch VM2 to be in VLAN401 with an IP address of 10.100.40.41 I get a throughput rate of about 6.7gigabits/sec.
In the above scenario, I'm using a Layer3 interface on the Nexus 5020, but in production we use a Vyatta virtual firewall.
I worked with Citrix for about 3 months and that was a dead end.
View 1 Replies
View Related
May 4, 2010
I realize this is just a small business switch, basically a rebranded Linksys, but why I'm only getting 200Mbits/s
- 48 port - 10/100/1000 , set to standalone mode
- 3 separate PCs on this switch , all are fast machines with Core 2 duo / plenty of RAM etc...
- all 3 auto-sense 1Gbps connection
I use iperf tool for bandwidth testing and no matter which PC I pick as server, which as client I get about 150 to 250Mbits/s
I am not looking for full 1000 here, but 200 seems rather sad....
- jumbo frames seem to make no difference
- I am using TCP test in iperf , standard no extra flags , 10 seconds, 20 seconds or even 30 seconds all come out the same.
- wiring is shady as some of it is just Cat5 , but when going from one laptop on the switch to another with brand new Cat6 cables I STILL only got 200.
View 2 Replies
View Related
Jun 18, 2011
The issue was about Cisco ASA5510 Sec Plus.2 Interfaces, LAN and DMZ.Both 1000 FD, no interface errors like CRC or something similar.If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.If i do the same using netperf in UDP (not TCP) I get the same in both directions.
View 9 Replies
View Related
Mar 3, 2013
I'm new to the Networking world and am trying to establish a base for my network. I'm running ASA 5510 8.4(4), how can I measrue throughput ? In the ASDM, there is a nice feature for CPU, and the command show CLI also provides good info about CPU, but how can I get the throughput on a port basis ?
View 8 Replies
View Related
Feb 4, 2013
I'm not clear about the capabilities of the ASA 5510 GigE interfaces (eth0/0 and eth0/1) with an without IPSEC tunnels enabled.
This page [URL] shows a figure of 170Mbps 'Maximum 3DES/AES VPN Throughput'. Does that mean per IPSEC tunnel or for the whole interface if it is IPSEC-enabled?
View 3 Replies
View Related
Jan 19, 2012
Looking at the ASA spec sheets, the ASA 5510 has a firewall throughput of 300Mbps. Does this mean 300Mbps half duplex or full duplex?
We are looking to replace our current firewall. Peak traffic at the moment is 250Mbps upstream and 20Mbps downstream, max concurrent sessions is 24K. Will I need to look at a ASA 5520 for the replacement?
View 1 Replies
View Related
Aug 14, 2012
I've just upgraded to FIOS quantum service. (50 MB down, 25 up). I have a Linksys 2500 connected to the FIOS router. The FIOS (ActionTec) router provides the full advertised speeds with any speed test service I try. But with the 2500 connected to the FIOS router I get download speeds about 3MB. The MTU on the linksys is 1500. It's connected correctly and is running it's own DHCP server. (Why am I doing this? I try to avoid the ActionTec routers, they have broken many services in the past.)The 2500 firmware is up to date. I've tested on the wireless and wired (ethernet) interfaces.
View 2 Replies
View Related
Feb 16, 2012
I have two sites connected via 2901 routers to a head end with an ASA 5510, the WAN circuits are LES running at 100MB and at the head end we have a 100MB leased line. All WAN circuits are provided wires onlyby another supplier. I have setup the two 2901 routers with inside IP addresses on GE0/0 and a /30 subnet for the GE0/1 interfaces to the ASA over the LES circuit.
The LES circuits are set to 100MB but the problem I am having is that one of the 2901s will only negotiate at 10MBps Half Duplex with the ASA at 100MB Half Duplex, the other will negotiate at 100MBps Full Duplex at both ends. My WAN provider tells me both LES circuits are the same so I cannot work out why one will negotiate at 100MB Full and the other at only 10Mb Half.
At the head end I have and ASA 5510 connected to the WAN providers 100MB circuit but testing from my end sites I can only get 6MB download and 0.5MB upload on an Internet Speedtest.
I used Wireshark when downloading from my end sites and I can see lots of TCP retries and duplicates so I think this is a duplexing issue, my question is, my WAN provider is stating the issue is nothing to do with them and it is my 2901 and ASA that is at fault, they state if they connect a laptop to the LES circuit and then their leased line they get 100MB up and down.
View 4 Replies
View Related
Oct 19, 2011
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
View 1 Replies
View Related
May 4, 2011
how to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
View 4 Replies
View Related
Mar 9, 2011
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
View 2 Replies
View Related
May 4, 2011
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
[Code].....
View 3 Replies
View Related
Aug 8, 2012
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
View 7 Replies
View Related
Mar 24, 2011
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
View 7 Replies
View Related
Oct 29, 2012
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
[Code].....
View 1 Replies
View Related
Mar 3, 2011
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
View 8 Replies
View Related
Nov 28, 2012
since a few days I'm trying to solve a problem. I've successfully established an IPSec tunnel between two local LANs. In the main office I'm working with a ASA5510 CLI 8.4 and a static public IP address. The branches are using different Cisco 8xx routers and dynamic public IP address. The following picture shows the current configuration:As I mentioned an IPSec Tunnel between the main office "Intern"-LAN 192.168.1.0/24 and an outside LAN 10.10.0.0/24 is successfully established. Now there is a new intern "Admin"-LAN 192.168.2.0/24 at the main office. The users from the outside LAN 10.10.0.0/24 need the possibility to reach this new intern "Admin"-LAN.Can I simply route the traffic from 10.10.0.0/24 to 192.168.2.0/24 via the existing IPSec-Tunnel? Or need I a new IPSec tunnel between the outside 10.10.0.0/24 LAN and the new "Admin"-LAN 192.168.2.0/24?
View 5 Replies
View Related
