Cisco AnyConnect speed woes!
James Michael Keller
jmkeller at houseofzen.org
Thu Dec 11 20:55:09 UTC 2014
On 12/09/2014 02:42 PM, Zachary McGibbon wrote:
> I'm looking for some input on a situation that has been plaguing our new
> AnyConnect VPN setup. Any input would be valuable, we are at a loss for
> what the problem is.
>
> We recently upgraded our VPN from our old Cisco 3000 VPN concentrators
> running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA
> active/standby pair.
>
> The big issue we are having is that many of our users are complaining of
> low speed when connected to the VPN. We have done tons of troubleshooting
> with Cisco TAC and we still haven't found the root of our problem.
>
> Some tests we have done:
>
> - We have tested changing MTU values
> - We have tried all combinations of encryption methods (SSL, TLS, IPSec,
> L2TP) with similar results
> - We have switched our active/standby boxes
> - We have tested on our spare 5545x box
> - We connected our spare box directly to our ISP with another IP address
> - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our
> IPS (HP Tipping Point)
> - We have bypassed our Shaper and our IPS
> - We made sure that traffic from the routers talking to our ASAs is
> synchronous, OSPF was configured to load balance but this has been changed
> by changing the costs on the links to the ASAs
> - We have verified with our two ISPs that they are not doing any kind of
> filtering or shaping
> - We have noticed that in some instances that if a user is on a low
> speed connection that their VPN speed gets cut by about 1/3. This doesn't
> seem normal that the VPN would use this much overhead
> - We do not have the issue when connecting to VPN directly on our own
> network, only connections from the Internet
>
> If you have any ideas on what we could try net, please let me know!
>
> - Zachary
What OS builds? At one point the code had an 8 packet hard coded
window per tcp flow, which capped ssl over tcp window size to about
5mbps depending on RTT. Recent 8 branches raised this to something
more reasonable that capped around 20 mbps. DTLS over udp and IPSEC
tunnels did not have this issue.
--
-James
More information about the NANOG
mailing list