Cisco AnyConnect speed woes!

James Michael Keller jmkeller at houseofzen.org
Tue Dec 16 02:01:56 UTC 2014


On 12/11/2014 04:18 PM, Roy Hirst wrote:
> Confidently based on no knowledge at all -
>
> *Roy Hirst* | 425-556-5773 | 425-324-0941 cell
> XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA
>
>
>>>     - We have noticed that in some instances that if a user is on a low
>>>     speed connection that their VPN speed gets cut by about 1/3.  
>>> This doesn't
>>>     seem normal that the VPN would use this much overhead
> No, sure, but are you sure that congestion is not dropping a packet 
> somewhere in the end-to-end? If you offend TCP it will likely cut the 
> sender's packet transmit rate, even if the "possible" VPN rate is much 
> higher.
>>>     - We do not have the issue when connecting to VPN directly on 
>>> our own
>>>     network, only connections from the Internet
> Internet would mean maybe a proxy or firewall then, with too-small 
> buffers or an old-time TCP/IP stack? Just a thought.
>>>
>>> If you have any ideas on what we could try net, please let me know!
>>>
>>> - Zachary
>>
>> What OS builds?   At one point the code had an 8 packet hard coded 
>> window per tcp flow, which capped ssl over tcp window size to about 
>> 5mbps depending on RTT.     Recent 8 branches raised this to 
>> something more reasonable that capped around 20 mbps. DTLS over udp 
>> and IPSEC tunnels did not have this issue.
> UDP traffic does not have this problem but TCP does? Hmmm...
>>

UDP transport with DTLS or IPSEC in UDP Encapsulation doesn't need to 
deal with tcp window size scaling and the associated packet buffers.

-James




More information about the NANOG mailing list