I have a IPSec link between two sites over ASA 5520s running 8.4(3) and I am getting extremely poor performance when traffic passes over the IPSec VPN. CPU on the devices is ~13%, Memory at 408 MB, and active VPN sessions 2. The load on both of the the devices is particularly low. Latency between the two sites is ~40ms.

Screenshot of wireshark file transfer between the two hosts over the firewall IPSec VPN performing at 10MBPS. Note the changing window size.

http://imgur.com/wGTB8Cr

Screenshot of wireshark file transfer between the two hosts over the firewall not going over IPSec performing at 55MBPS. Constant window size.

http://imgur.com/EU23W1e

I'm showing an inconsistent window size when transferring over the IPSec VPN ranging in 46,796 to 65535. When performing at 55+MBPS, the window size is consistently 65,535. Does this show a problem in my configuration of the IPSec VPN in the ASA or a Layer1/2 issue?

Using ping xxxxxx -f -l I finally get a non-fragment at 1418 bytes so 1418+28 for IP/ICMP headers = 1446. I know that I have 1500 set on the ASA and Ethernet.

I do have "Force Maximum segment size for TCP proxy connection to be" "1380" bytes set under Configuration > Advanced > TCP Options on the ASA.

Using IPERF, I am getting a "TCP Window Full" every few seconds and ~3 MBPS performance.

http://imgur.com/elRlMpY

Show Run on the ASA

http://pastebin.com/uKM4Jh76

Show cry accelerator stats

http://pastebin.com/xQahnqK3