The topology is shown as above, USG2200 in HQ and AR1220 in branches set up IPSec VPN tunnels.If SAP and Lotus Notes traffic forwarded through VPN tunnel, it get slow. But other traffic without VPN tunnel forwarded normally.
1. After analyzing the captured packets, we found a large number of packets were sent as fragments.
2. After modifying TCP MSS value on USG2000E and AR1220 to make (MSS + TCP header + IP header) < MTU, the SAP and Lotus Notes traffic forwarded via IPSec tunnel became normal.
TCP mss configuration on USG2200:
[USG2200]firewall tcp-mss 1200
TCP mss on AR1220 should be configured on both internal and external interface:
[AR1220-GigabitEthernet0/0/0]tcp adjust-mss 1200
[AR1220-GigabitEthernet0/0/1]tcp adjust-mss 1200
IPSec tunnel encapsulating IP packets leads to IP packet length becomes longer. If (MSS + TCP header + IP header)> link MTU, the packet will be sent as fragments, and reassembled when received. The process of fragment and reassemble need to consume CPU resources. Meanwhile fragmented packet encryption, decryption process also consumes more CPU resources. When the proportion of fragmented packets too large, the lack of CPU resources may cause packets loss.
When TCP packets size longer than MTU, you can adjust the tcp mss to avoid fragment.