Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
2
Replies

ASA - Firewall and VPN on same device

Ralph Rye
Level 1
Level 1

‎11-05-2007 12:38 PM - edited ‎02-21-2020 03:21 PM

I have a client that is attempting to both firewall, and VPN (remote access and site to site) functions on a single 5510 unit. They seem to have problem when the Internet bandwidth becomes congested and the remote access VPN user suffer badly from packet loss. It gets to the point that remote access VPN clients have applications hang on them. While I do expect to have some packet loss and slow down when the Internet connection gets saturated it seems to be more severe on the VPN then the firewall traffic.

The other issue is that the client has a VPN 3000 sitting in parallel with the ASA and they plan to migrate users from it to the ASA but they believe something is wrong with the ASA. The VPN 3000 is connected to the same Internet connection and when the link becomes saturated the remote access users do not experience the same level of packet loss / slow downs / or application hanging on them.

Anyone else seen anything like this?

Thanks,

Bob

Labels:
0 Helpful
2 Replies 2

jwalker
Level 3
Level 3

‎11-05-2007 02:01 PM

Bob -

First, did you verify that the ASA you bought could support the amount of users/traffic you have? The VPN users will always experience poorer performance than the internal users. This is because the OS prefers this traffic over VPN. Basically, if the firewall's resources are saturated, it begins limiting resources to "less important" stuff like VPN traffic and administrative connections. The last thing it will quit doind is passing inside to any traffic.

I wouldn't recommend adding the concentrator users until after you resolve the other problem. If you do a "show asp drop" on the ASA, do you see any of the counters going up very quickly (besides the matched deny rule one)? If so, you may have a configuration issue on your network. Also, you should do a "show interface" on the ASA and verify that the interfaces are not getting errors/collions.

Jay

0 Helpful

Ralph Rye
Level 1
Level 1
In response to jwalker

‎11-05-2007 02:20 PM

Jay,

Thanks for the reply. Yes the ASA should be to handle the traffic load and amount of VPN users.

It does react the way you stated. Meaning when the link gets saturated it prefers the "firewall" traffic over the VPN traffic. I would think that if the client believes that VPN traffic is of higher priority then firewall traffic then I should be "police" the firewall traffic or implement priority queueing for the VPN traffic.

Have you done either of these and achieved your desired goals?

Also do have any links to docs discussing the ASA preference to passing firewall traffic over VPN and other "less important" traffic?

Thanks again,

Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents