I have been troubleshooting an interesting issue recently, with poor performance on a site to site (L2L) VPN between two sites. The sites are very close, say about 20 miles from each other, with a decent number of users in both sites. The VPNs are established, and encrypting and decrypting traffic ok.
The problem is that the performance is pretty bad. Site B cannot stream media from the Site A, accessing file shares is slow, and access to other things is also slow.
Naturally I looked at the VPN first, the flow of packets looked fine, not obvious lags there, and as the tunnels were up we could eliminate ISAKMP and IPSec from the list of possible issues.
No other sites are affected by this slowness, Site A is our main site with multiple VPNs coming into it.
We logged a call with the ISP for Site B and they reported no issues. So I widened the search. Watching the logs go past I could see a number of failed DNS queries to the root hints servers from the domain controller at Site B:
Dropped UDP DNS reply from OUTSIDE_PRIMARY:22.214.171.124/53 to INSIDE:x.x.x.x/63095; packet length 697 bytes exceeds configured limit of 512 bytes Dropped UDP DNS reply from OUTSIDE_PRIMARY:126.96.36.199/53 to INSIDE:x.x.x.x/63095; packet length 697 bytes exceeds configured limit of 512 bytes Dropped UDP DNS reply from OUTSIDE_PRIMARY:188.8.131.52/53 to INSIDE:x.x.x.x/62464; packet length 618 bytes exceeds configured limit of 512 bytes
This shouldn’t directly affect site to site traffic, it would certainly affect external traffic (though no reports of slow external traffic were reported), but it certainly wouldn’t hurt to fix this.
Under Configuration -> Firewall -> Objects -> Inspect maps is an entry for DNS. Highlighting this we can see that the default Message Length Maximum is set to 512. So I increased this to 1024 and the errors were not logged anymore.
For the CLI user this is set with:
policy-map type inspect dns preset_dns_map parameters message-length maximum 1024 policy-map global_policy class inspection_default inspect dns preset_dns_map
Immediately file access between sites was improved and video streaming was usable again.
So if you are having poor site to site VPN issues, this is worth checking out.