Cisco AnyConnect speed woes!

James Michael Keller jmkeller at houseofzen.org
Thu Dec 11 20:55:09 UTC 2014


On 12/09/2014 02:42 PM, Zachary McGibbon wrote:
> I'm looking for some input on a situation that has been plaguing our new
> AnyConnect VPN setup.  Any input would be valuable, we are at a loss for
> what the problem is.
>
> We recently upgraded our VPN from our old Cisco 3000 VPN concentrators
> running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA
> active/standby pair.
>
> The big issue we are having is that many of our users are complaining of
> low speed when connected to the VPN.  We have done tons of troubleshooting
> with Cisco TAC and we still haven't found the root of our problem.
>
> Some tests we have done:
>
>     - We have tested changing MTU values
>     - We have tried all combinations of encryption methods (SSL, TLS, IPSec,
>     L2TP) with similar results
>     - We have switched our active/standby boxes
>     - We have tested on our spare 5545x box
>     - We connected our spare box directly to our ISP with another IP address
>     - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our
>     IPS (HP Tipping Point)
>     - We have bypassed our Shaper and our IPS
>     - We made sure that traffic from the routers talking to our ASAs is
>     synchronous, OSPF was configured to load balance but this has been changed
>     by changing the costs on the links to the ASAs
>     - We have verified with our two ISPs that they are not doing any kind of
>     filtering or shaping
>     - We have noticed that in some instances that if a user is on a low
>     speed connection that their VPN speed gets cut by about 1/3.  This doesn't
>     seem normal that the VPN would use this much overhead
>     - We do not have the issue when connecting to VPN directly on our own
>     network, only connections from the Internet
>
> If you have any ideas on what we could try net, please let me know!
>
> - Zachary

What OS builds?   At one point the code had an 8 packet hard coded 
window per tcp flow, which capped ssl over tcp window size to about 
5mbps depending on RTT.     Recent 8 branches raised this to something 
more reasonable that capped around 20 mbps.    DTLS over udp and IPSEC 
tunnels did not have this issue.




-- 

-James




More information about the NANOG mailing list