nanog mailing list archives

Re: Cisco AnyConnect speed woes!

From: James Michael Keller <jmkeller () houseofzen org>
Date: Thu, 11 Dec 2014 15:55:09 -0500

On 12/09/2014 02:42 PM, Zachary McGibbon wrote:

I'm looking for some input on a situation that has been plaguing our new
AnyConnect VPN setup.  Any input would be valuable, we are at a loss for
what the problem is.

We recently upgraded our VPN from our old Cisco 3000 VPN concentrators
running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA
active/standby pair.

The big issue we are having is that many of our users are complaining of
low speed when connected to the VPN.  We have done tons of troubleshooting
with Cisco TAC and we still haven't found the root of our problem.

Some tests we have done:

    - We have tested changing MTU values
    - We have tried all combinations of encryption methods (SSL, TLS, IPSec,
    L2TP) with similar results
    - We have switched our active/standby boxes
    - We have tested on our spare 5545x box
    - We connected our spare box directly to our ISP with another IP address
    - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our
    IPS (HP Tipping Point)
    - We have bypassed our Shaper and our IPS
    - We made sure that traffic from the routers talking to our ASAs is
    synchronous, OSPF was configured to load balance but this has been changed
    by changing the costs on the links to the ASAs
    - We have verified with our two ISPs that they are not doing any kind of
    filtering or shaping
    - We have noticed that in some instances that if a user is on a low
    speed connection that their VPN speed gets cut by about 1/3.  This doesn't
    seem normal that the VPN would use this much overhead
    - We do not have the issue when connecting to VPN directly on our own
    network, only connections from the Internet

If you have any ideas on what we could try net, please let me know!

- Zachary

What OS builds? At one point the code had an 8 packet hard codedwindow per tcp flow, which capped ssl over tcp window size to about5mbps depending on RTT. Recent 8 branches raised this to somethingmore reasonable that capped around 20 mbps. DTLS over udp and IPSECtunnels did not have this issue.





--

-James

Current thread:

Cisco AnyConnect speed woes! Zachary McGibbon (Dec 09)
- RE: Cisco AnyConnect speed woes! Darden, Patrick (Dec 09)
  - Re: Cisco AnyConnect speed woes! Roy Hirst (Dec 09)
- RE: Cisco AnyConnect speed woes! Matthew Huff (Dec 09)
  - Re: Cisco AnyConnect speed woes! Zachary McGibbon (Dec 09)
    - Message not available
    - Re: Cisco AnyConnect speed woes! Zachary McGibbon (Dec 09)
    - Re: Cisco AnyConnect speed woes! Zachary McGibbon (Dec 16)
- Re: Cisco AnyConnect speed woes! James Michael Keller (Dec 11)
  - Re: Cisco AnyConnect speed woes! Roy Hirst (Dec 11)
    - Re: Cisco AnyConnect speed woes! James Michael Keller (Dec 15)