Site to Site VPN towards vNet slow download, upload is fine (Cisco ISR 3925E with DynamicRouting - IOS 15.4(3)M3)

Hi,

I've got some issue's with the download speed over my site to site VPN towards Azure (West Europe). While the upload speed hits the 85Mbits/sec limit on my Cisco ISR 3925E (Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.) My download speed over the VPN tunnel doesn't get over the 14.4Mbits/sec and it feels like it's being limited somewhere. If it was a MTU issue, then I would expect to have the same bad performance both ways over the tunnel. I've checked everything and tweaked the VPN config as far as I could but still getting the same result. Testing with iPerf3 on a host on-premise and in the cloud, and already tried multi hosts to see if the problem was local to a machine. Would be great if someone could give me some advice or idea's what to do next :)

Cisco VPN Config:

vrf definition azure-vrf
 !
 address-family ipv4
 exit-address-family
!
crypto ikev2 proposal azure-proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy
 proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
 peer <azure.gateway>
  address <azure.gateway>
  pre-shared-key <pre.shared.key>
 !
!
crypto ikev2 profile azure-profile
 match address local <local.ip>
 match identity remote address <azure.gateway> 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-keyring
 dpd 500 50 on-demand
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile vti
 set transform-set azure-ipsec-proposal-set
 set ikev2-profile azure-profile
!
interface Tunnel1
 vrf forwarding azure-vrf
 ip address <tunnel.ip> 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source <local.ip>
 tunnel mode ipsec ipv4
 tunnel destination <azure.gateway>
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vti
!
ip route vrf azure-vrf 10.0.0.0 255.0.0.0 GigabitEthernet0/3 <core.layer3>
ip route vrf azure-vrf <azure.gateway.net> 255.255.0.0 Tunnel1
ip route vrf azure-vrf 192.168.0.0 255.255.0.0 GigabitEthernet0/3 <core.layer3>
!

Would be great if @AzureSupport could pick this one up!

Seems my support subscription isn't valid anylonger, and while I'm an enterprise customer there's no way to open a ticket :/

Thanks!