Saturday, January 20, 2018

Where to start troubleshooting a slow IPSec tunnel

I've connected two sites with a fairly rudimentary policy-based IPSec tunnel

  • Site #1: Cisco ASA-5525-X - Configured with Site-to-site VPN Wizard
  • Site #2: CCR1036 - Practically defaults. Added a peer and a policy to match the Cisco end. Set up a source NAT rule so clients at site B can connect to site A.

The tunnel pops right up, but the performance is abysmal.

When connected to Site A from Site B via IPSec tunnel:

Ping:

ping -D -s 1200 10.0.0.94 PING 10.0.0.94 (10.0.0.94): 1200 data bytes 1208 bytes from 10.0.0.94: icmp_seq=0 ttl=62 time=22.737 ms 1208 bytes from 10.0.0.94: icmp_seq=1 ttl=62 time=23.217 ms 1208 bytes from 10.0.0.94: icmp_seq=2 ttl=62 time=68.820 ms 1208 bytes from 10.0.0.94: icmp_seq=3 ttl=62 time=22.508 ms 1208 bytes from 10.0.0.94: icmp_seq=4 ttl=62 time=23.064 ms 1208 bytes from 10.0.0.94: icmp_seq=5 ttl=62 time=121.610 ms 1208 bytes from 10.0.0.94: icmp_seq=6 ttl=62 time=22.045 ms 1208 bytes from 10.0.0.94: icmp_seq=7 ttl=62 time=353.490 ms 1208 bytes from 10.0.0.94: icmp_seq=8 ttl=62 time=22.763 ms 1208 bytes from 10.0.0.94: icmp_seq=9 ttl=62 time=137.248 ms 1208 bytes from 10.0.0.94: icmp_seq=10 ttl=62 time=20.840 ms 1208 bytes from 10.0.0.94: icmp_seq=11 ttl=62 time=22.813 ms

Bandwidth:

[ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 133 KBytes 109 Kbits/sec sender [ 4] 0.00-10.00 sec 4.76 KBytes 3.90 Kbits/sec receiver

When connected to Site A from Site B via AnyConnect :

Ping (never deviates beyond +/- 5ms):

ping -D -s 1200 10.0.0.94 PING 10.0.0.94 (10.0.0.94): 1200 data bytes 1208 bytes from 10.0.0.94: icmp_seq=0 ttl=64 time=23.182 ms 1208 bytes from 10.0.0.94: icmp_seq=1 ttl=64 time=22.701 ms 1208 bytes from 10.0.0.94: icmp_seq=2 ttl=64 time=22.910 ms 1208 bytes from 10.0.0.94: icmp_seq=3 ttl=64 time=25.023 ms 1208 bytes from 10.0.0.94: icmp_seq=4 ttl=64 time=24.687 ms 1208 bytes from 10.0.0.94: icmp_seq=5 ttl=64 time=26.293 ms 1208 bytes from 10.0.0.94: icmp_seq=6 ttl=64 time=24.710 ms

Bandwidth:

[ ID] Interval Transfer Bandwidth [ 4] 0.00-10.00 sec 49.9 MBytes 41.9 Mbits/sec sender [ 4] 0.00-10.00 sec 49.8 MBytes 41.8 Mbits/sec receiver

I've tried locking down the MTU on either end and it doesn't seem to have made a difference.

At this point, I'm at a total loss. There's nothing special being generated in any of the related logs. I've played with a variety of encryption settings, but both ends remain relatively idle CPU-wise.

Should I be looking at MTU still here?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)