Pfs - ASA poor performance



  • pfs side is 75/15 meg cable.  I do see close to those speeds.  ASA side is a 100/100meg direct fiber internet.

    pfs is running on a Netgate 7541.  IPsec is set up for AES192 both phases.  perfect forward secrecy of 1 on the phase 2.  Check out these iPerf numbers:

    ASA to pfs:
    bin/iperf.exe -c 172.20.10.145 -P 1 -i 1 -p 5001 -f m -t 30
    –----------------------------------------------------------
    Client connecting to 172.20.10.145, TCP port 5001
    TCP window size: 0.01 MByte (default)

    [180] local 172.20.1.68 port 63747 connected with 172.20.10.145 port 5001
    [ ID] Interval      Transfer    Bandwidth
    [180]  0.0- 1.0 sec  0.26 MBytes  2.16 Mbits/sec
    [180]  1.0- 2.0 sec  0.16 MBytes  1.38 Mbits/sec
    [180]  2.0- 3.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180]  3.0- 4.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180]  4.0- 5.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180]  5.0- 6.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180]  6.0- 7.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180]  7.0- 8.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180]  8.0- 9.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180]  9.0-10.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180] 10.0-11.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180] 11.0-12.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180] 12.0-13.0 sec  0.15 MBytes  1.25 Mbits/sec
    [180] 13.0-14.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180] 14.0-15.0 sec  0.14 MBytes  1.18 Mbits/sec
    [180] 15.0-16.0 sec  0.12 MBytes  0.98 Mbits/sec
    [180] 16.0-17.0 sec  0.13 MBytes  1.11 Mbits/sec
    [180] 17.0-18.0 sec  0.11 MBytes  0.92 Mbits/sec
    [180] 18.0-19.0 sec  0.11 MBytes  0.92 Mbits/sec
    [180] 19.0-20.0 sec  0.14 MBytes  1.18 Mbits/sec

    pfs to ASA:
    bin/iperf.exe -s -P 0 -i 1 -p 5001 -f m
    –----------------------------------------------------------
    Server listening on TCP port 5001
    TCP window size: 0.01 MByte (default)

    [280] local 172.20.1.68 port 5001 connected with 172.20.10.145 port 53176
    [ ID] Interval      Transfer    Bandwidth
    [280]  0.0- 1.0 sec  0.47 MBytes  3.94 Mbits/sec
    [280]  1.0- 2.0 sec  0.54 MBytes  4.52 Mbits/sec
    [280]  2.0- 3.0 sec  0.55 MBytes  4.65 Mbits/sec
    [280]  3.0- 4.0 sec  0.53 MBytes  4.46 Mbits/sec
    [280]  4.0- 5.0 sec  0.54 MBytes  4.52 Mbits/sec
    [280]  5.0- 6.0 sec  0.55 MBytes  4.59 Mbits/sec
    [280]  6.0- 7.0 sec  0.55 MBytes  4.58 Mbits/sec
    [280]  7.0- 8.0 sec  0.56 MBytes  4.72 Mbits/sec
    [280]  8.0- 9.0 sec  0.53 MBytes  4.45 Mbits/sec
    [280]  9.0-10.0 sec  0.57 MBytes  4.79 Mbits/sec
    [280] 10.0-11.0 sec  0.54 MBytes  4.52 Mbits/sec
    [280] 11.0-12.0 sec  0.57 MBytes  4.79 Mbits/sec
    [280] 12.0-13.0 sec  0.58 MBytes  4.85 Mbits/sec
    [280] 13.0-14.0 sec  0.59 MBytes  4.92 Mbits/sec
    [280] 14.0-15.0 sec  0.53 MBytes  4.46 Mbits/sec
    [280] 15.0-16.0 sec  0.60 MBytes  5.05 Mbits/sec
    [280] 16.0-17.0 sec  0.51 MBytes  4.27 Mbits/sec
    [280] 17.0-18.0 sec  0.47 MBytes  3.92 Mbits/sec
    [280] 18.0-19.0 sec  0.51 MBytes  4.25 Mbits/sec
    [280] 19.0-20.0 sec  0.40 MBytes  3.35 Mbits/sec

    The upload is faster than the download.  I'm befuddled.  Any ideas?