ASA Slow IPSec Performance

Posted by Brent on Server Fault See other posts from Server Fault or by Brent
Published on 2013-06-26T14:48:30Z Indexed on 2013/06/26 16:22 UTC
Read the original article Hit count: 246

Filed under:

cisco-asa

|

ipsec

I have a IPSec link between two sites over ASA 5520s running 8.4(3) and I am getting extremly poor performance when traffic passes over the VPN. CPU on the device is 13%, Memory at 408 MB, and active VPN sessions 2 so the load on the device is particularly low.

Screenshot of wireshark file transfer between the two hosts over the VPN:

The large amount of Header checksum failures is alarming, but I am not sure what to check now. I perf is showing around 4-5 Mbit/sec with differing TCP window sizes.

Show Run on the ASA

http://pastebin.com/uKM4Jh76

Show cry accelerator stats

http://pastebin.com/xQahnqK3

© Server Fault or respective owner

Related posts about cisco-asa

Cisco ASA bonding/teaming/port-channel capabilities

as seen on Server Fault - Search for 'Server Fault'
Hello, This seemed to me like a really simple question that I would be able to answer by myself but I have not been able to find any info on this subject. I have a Cisco ASA 5510 which has 4 FastEthernet interfaces. I was wondering if it would be possible to use 2 or 3 of these interfaces as a port-channel… >>> More
Plugging the Cisco ASA Security Hole

as seen on Internet.com - Search for 'Internet.com'
Cisco dominates the networking hardware market, and with its Adaptive Security Appliance it is extending its reach into network security. The ASA, however, can introduce a security issue. Learn how to resolve it so you can get the most out of this powerful tool. >>> More
Enable Cisco ASA as an SSH Tunneling

as seen on Server Fault - Search for 'Server Fault'
I am trying to utilize my Cisco ASA as a SSH Tunnel. I've configured this before when using a Linux server as the SSH target, however I cannot seem to get it to work with the ASA. I have configured and enabled SSH on the Cisco ASA, as well as a username that I can SSH to the console, however the SSH… >>> More
QoS basics on a Cisco ASA

as seen on Server Fault - Search for 'Server Fault'
Could someone briefly explain how to use QoS on Cisco ASA 5505? I have the basics of policing down, but what about shaping and priorities? Basically what I'm trying to do is carve out some bandwidth for my VPN subnets (in an object-group called priority-traffic). I've seen this Cisco QoS document… >>> More
Configuring Cisco ASA 5510 to assign static IP address based on MAC address

as seen on Server Fault - Search for 'Server Fault'
Hi, We have a CISCO ASA 5510 at work. We want to configure the same such that it can serve specific IP addresses based on the MAC address of the clients. Any help would be greatly appreciated. Thanks in advance -knd >>> More

Related posts about ipsec

Ipsec reload fails to load ipsec.conf Strongswan 5.0

as seen on Server Fault - Search for 'Server Fault'
I am having trouble configuring a connection to an Android device using a fedora 17 linux machine and strongSwanv5.0.1dr2. I have made some progress but when I try adding the configuration to support xauth authentication I receive an error when I try to reload the configuration file. I get a similar… >>> More
Specify IPSEC port range using ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections. My SPD rules would look like: spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none; spdadd 0.0.0.0/0 0.0.0.0/0[443]… >>> More
Connecting debian and windows via IPsec VPN with Racoon and ipsec-tools

as seen on Server Fault - Search for 'Server Fault'
I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall. I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec. However, I am not quite sure, if this… >>> More
ASA hairpining: I basicaly want to allow 2 spokes to be able to communicate with each other.

as seen on Server Fault - Search for 'Server Fault'
ASA Spoke to Spoke Communication I have been looking at spke to spoke comms or "hairpining" for months and have posted on numerouse forums but to no avail. I have a Hub and spoke network where the HUB is an ASA Firewall version 8.2 * I basicaly want to allow 2 spokes to be able to communicate with… >>> More
Can't get the L2TP IPSEC up and running

as seen on Server Fault - Search for 'Server Fault'
i have an Ubuntu 11.10 (oneiric) server running on a ReadyNAS. Im planning to use this to accept ipsec+l2tp connections through a router. However, the connection is failing somewhere half through. Using Openswan IPsec U2.6.28/K3.0.0-12-generic and trying to connect with an iOS 5 iPhone 4S. This is… >>> More