We have a site to site IPSEC VPN, both endpoints are Cisco PIX 515e's. The links at both end are 100mb, however speeds over the VPN (logged using jperf) are at most 4mb. Obviously this represents a HUGE gulf in the speeds we feel we should be getting. I appreciate there will be overheads for the VPN but surely not that much. Looking in to it, all interfaces on both PIX's have their MTU set to 1500. Running some tests to check the path MTU shows as follows:
Over VPN Tunnel
SITEA -> SITEB = Path MTU 1300
SITEB -> SITEA = Path MTU 1434
Not using VPN Tunnel
SITEA -> SITEB = Path MTU 1500
SITEB -> SITEA = Path MTU 1500
So; prior to the tunnel being created, the path MTU suggests an interface MTU of 1500 would be ok. However running the same tests over the VPN return lower suggested MTU's, and different ones at that.
Should we drop the MTU's on our PIX's to either one of the 1300/1434 values suggested or is that a red herring? And; if we do drop the MTU's to these values, will we also need to change the MSS accordingly (currently default on both devices).
Any guidance would be appreciated as this isn't a link we can try 101 things on without good cause, due to the nature of the business and the link.
Many thanks in advance.