Cisco AnyConnect speed woes!
James Michael Keller
jmkeller at houseofzen.org
Tue Dec 16 02:01:56 UTC 2014
On 12/11/2014 04:18 PM, Roy Hirst wrote:
> Confidently based on no knowledge at all -
>
> *Roy Hirst* | 425-556-5773 | 425-324-0941 cell
> XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA
>
>
>>> - We have noticed that in some instances that if a user is on a low
>>> speed connection that their VPN speed gets cut by about 1/3.
>>> This doesn't
>>> seem normal that the VPN would use this much overhead
> No, sure, but are you sure that congestion is not dropping a packet
> somewhere in the end-to-end? If you offend TCP it will likely cut the
> sender's packet transmit rate, even if the "possible" VPN rate is much
> higher.
>>> - We do not have the issue when connecting to VPN directly on
>>> our own
>>> network, only connections from the Internet
> Internet would mean maybe a proxy or firewall then, with too-small
> buffers or an old-time TCP/IP stack? Just a thought.
>>>
>>> If you have any ideas on what we could try net, please let me know!
>>>
>>> - Zachary
>>
>> What OS builds? At one point the code had an 8 packet hard coded
>> window per tcp flow, which capped ssl over tcp window size to about
>> 5mbps depending on RTT. Recent 8 branches raised this to
>> something more reasonable that capped around 20 mbps. DTLS over udp
>> and IPSEC tunnels did not have this issue.
> UDP traffic does not have this problem but TCP does? Hmmm...
>>
UDP transport with DTLS or IPSEC in UDP Encapsulation doesn't need to
deal with tcp window size scaling and the associated packet buffers.
-James
More information about the NANOG
mailing list