We recently upgraded a number of ASL 5.2 machines to ASL 6. After upgrading, we noticed that a number of the regular large file transfers we do across the VPN have gotten a lot slower and take a lot longer to complete while using more bandwidth.
After a bit of digging, it appears that IPSec compression no longer works with ASL v6, even though we have it turned on.
Normally if we look at ipsec compared to actual interface bandwidth, the ipsec bandwidth is much higher than the interface bandwidth, now the 2 are equal.
Looking at the IPSec logs, I see plenty of "initiating Quick Mode" lines with "RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP", but when the following IPSec SA established lines do not include IPCOMP, they only include ESP, AES_128-HMAC_MD5 DPD.
Interestingly VPNs between v6 and v5 firewalls do show IPCOMP in the IPSec SA established message, but don't show any evidence of compression actually working in either direction.
Anyone else run across this problem? Having VPN compression is a huge savings in bandwidth and network responsiveness for us.
This thread was automatically locked due to age.
