Performance : Anyconnect vs. IPSEC

Unanswered Question
May 23rd, 2010
User Badges:

Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.

However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.

From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.

Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?

Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Sun, 05/23/2010 - 23:40
User Badges:
  • Cisco Employee,

One of the reason why AnyConnect could be slower than IPSEC is because AnyConnect by default uses TCP/443, and IPSEC uses either ESP protocol or UDP/4500 if the tunnel goes through PAT device.

When comparing TCP and UDP protocol, TCP is connection oriented protocol, hence, the normal TCP window scaling, retransmission, etc can slow down file transfer (FTP/CIFS) when compared to UDP.

If you would like to continue using TCP for your AnyConnect connection, you can lower the MSS size a little so less packet fragmentation. On the ASA, you can configure "sysopt connection tcpmss 1300".

Alternatively, for AnyConnect connection, you can configure it to use DTLS (UDP/443) which would be negotiated first when AnyConnect client connects and if UDP/443 is blocked, it will fall back to TLS (TCP/443). It can be configured as follows:


  dtls port

Here is the command for your reference:

Hope that helps.

Eric Chan Tue, 05/25/2010 - 12:29
User Badges:

I have the same problem with preformance on AnyConnect. User doesn't notice it as much but on a fast internet connection (20Mbs up/down), I get about 15/15 Mbs/sec on down/up over IPSEC but is getting about 1.8/1.5 Mbs/sec on AnyConnect. On the ASA we are running AnyConnect with DTLS. I have tried upgrading to the latest 8.3.1(4) code and have tired all different SSL encrytpion (AES, AES 256, 3DES, RC4), TLS only, with DTLS. See no improvement with AnyConnect tunneling at all with the different settings.I also tired different MTU on the client ..going from 1000, 1100, 1200, 1300, 1400.

acleri Tue, 09/14/2010 - 06:27
User Badges:

Same problem...

Does anyone found a solution?


Marcin Latosiewicz Tue, 09/14/2010 - 06:59
User Badges:
  • Cisco Employee,


DTLS will eliminate some of the shortcoming TLS, but it's not a one shot solution for every scenario.Enabling DTLS is not same as USING dtls.

If compression is enabled - disable it.

Mentioned MTU problems indeed a good way to start, much more informative would be for you to tell us, how was testing done, what protocol etc.

Please gather a packet capture to see if informations is dropped or delieverd out of order.


slarjun33 Fri, 09/19/2014 - 00:18
User Badges:

Marcin, I have a question here. Please help me on this..


I was doing a wireshark capture on my local nic, and was trying to connect to VPN via Anyconnect. I could only see a TLSV1 protocol communicating to the destination FW IP, but on the Anyconnect statistics I could see the Transport protocol as DTLS.


Cisco AnyConnect Secure Mobility Client 3.1.05152 VPN Statistics Details
(Fri Sep 19 12:15:14 2014

Transport Information
    Protocol:    DTLS
    Cipher:    RSA_AES_128_SHA1
    Compression:    None
    Proxy Address:    No Proxy


What my question here is, should the Anyconnect client be using DTLS then we would be getting the DTLS protocol in our capture, correct?


gherbstman Sat, 10/23/2010 - 02:38
User Badges:

One other thought, is the HTTPS traffic being inspected somewhere? Maybe on the client end. We have often found firewall inspections slow down certain traffic. HTTP traffic is often more deeply inspected where IPSEC traffic is not.

Marcin Latosiewicz Sat, 10/23/2010 - 02:47
User Badges:
  • Cisco Employee,

True that, we've seen it in the past load balancing/shaping, SSL offloading and similar stuff can impact performance, again something usally quite easily overcome by using DTLS ;-)


patoberli Tue, 04/12/2011 - 08:08
User Badges:
  • Bronze, 100 points or more

Have you found any solution? We also seem to face this issue

patoberli Wed, 06/08/2011 - 01:20
User Badges:
  • Bronze, 100 points or more

Just discovered that UDP/443 was blocked on our external firewall, thus DTLS was never in use, only TLS (visible in Anyconnect).

Now, with DTLS, the performance is around 6 times higher as it was before, even though there are around 2-4 times more still possible (in theory).

The hunt for more speed continues...

Dan Schauss Wed, 07/10/2013 - 08:19
User Badges:

I'm in a similar boat . Initially installed was an ASA 5510 with 256 Meg. AnyConnect performance with a Win 7 PC, at a home with a 50Meg down and 5Meg up circuit, was in the low 3-4Meg. I have since ‘upgraded’ to an ASA with 1Gig of memory running 8.2.5(44) code and upgrade AnyConnect packages of 3.1.00495. Performance improved to approx 7Meg down and 5Me up.  I used the web site, we’re in Raleigh, NC and tested to servers in DC area.


From User’s home (50Meg down 5Meg up, Home wn 7 PC)

Without SSL:

   Download: 51 Meg

   Upload: 4.9 Meg

With SSL, old Fw:

   Download: 3.5 Meg

   Upload: 1.8 Meg

With SSL, new Fw:

   Download: 6.9 Meg

   Upload: 4.2 Meg

The Office where the firewall lives has a 100 Meg Metro-E link, Here is a speed test at the office (office PC).

Without SSL:

   Download: 67.7 Meg

   Upload: 88.3 Meg


Also saw

Speed test to 5510

last night at 11:30pm from my home, 10+ Meg down, 1 Meg up (basic internet service) (office laptop)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, new Fw:

   Download: 7 Meg

   Upload: 1 Meg


Plus, we have a share VPN SSL box, (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service).

SSLed from home (10+Meg down 1 Meg up)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, to VPN Service Module

   Download: 12.5 Meg

   Upload: 1 Meg

SSLed from work to our ‘shared’ service (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service)

100Meg link at work

Without SSL: Ashburn, VA, 1:20pm

   Download: 92.7 Meg

   Upload: 90.3 Meg

With SSL: Washington DC, 1:40pm

   Download: 18.6 Meg

   Upload: 25.7 Meg

   53 ms delay

With SSL: Ashburn, VA, 1:40pm

   Download: 16.6 Meg

   Upload: 32.5 Meg

   33 ms delay

patoberli Wed, 07/10/2013 - 08:26
User Badges:
  • Bronze, 100 points or more

Was DTLS active while you were connected?

You see that in Anyconnect in the connection statistics.

Dan Schauss Wed, 07/10/2013 - 08:37
User Badges:

Here is a current connection, pulled from ASDM.  It appears to be TLS.  Was wondering how to dertemine if the connection was DTLS or TLS.  Thanks.

So applying: will force all connections to DTLS.  Is a port neccessary and how do I accomondate it in the Fw config?


  dtls port

SSL-TunnelRC4    Tunnel   ID: 2055.2

Assigned IP

Public IP:

Hashing: SHA1

Encapsulation: TLSv1.0

TCP Src Port 49205

TCP Dst Port 443

Authentication Mode: userPassword

Idle Time Out: 30 Minutes

Idle TO Left: 29 Minutes

Client Type: SSL VPN Client

Client Ver: Cisco AnyConnect VPN Agent for Windows 3.1.00495

Packets Tx: 134019

Packets Rx: 102097

Packets Tx Dropped: 813

Packets Rx Dropped: 0

patoberli Wed, 07/10/2013 - 08:46
User Badges:
  • Bronze, 100 points or more

Just do dtls port 443, that will enable it on port 443 which you probably already have open for the web access to download the client. Otherwise you need to open that port.

To check it, use this command:

Result of the command: "sh vpn- any"

Username     : blablabla               Index        : 9918
Assigned IP  :          Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AES256 AES256 AES256   Hashing      : SHA1 SHA1 SHA1
Bytes Tx     : 822960622              Bytes Rx     : 43702669
Group Policy : groupname              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:04:06 CEDT Wed Jul 10 2013
Duration     : 7h:40m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none



It will not force the clients to use DTLS, it will only enable it for them to use. The client still has to successfully negotiate it to use it.

Dan Schauss Wed, 07/10/2013 - 08:57
User Badges:

will do.  sh vpn-any doesn't take.

Can't seem to find the same info as from ASDM.  Seeing only one DTLS session below.

dhr-5668-fw# sh v?

  version          vlan    vpdn    vpn


dhr-5668-fw# sh vpn-sessiondb ?

  detail       Show detailed output

  email-proxy  Email-Proxy sessions

  full         Output formatted for data management programs

  index        Index of session

  l2l          IPsec LAN-to-LAN sessions

  ratio        Show VPN Session protocol or encryption ratios

  remote       IPsec Remote Access sessions

  summary      Show VPN Session summary

  svc          SSL VPN Client sessions

  vpn-lb       VPN Load Balancing Mgmt sessions

  webvpn       WebVPN sessions

  |            Output modifiers


dhr-5668-fw# sh vpn-sessiondb

Active Session Summary


                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :      23 :       1899 :              64

    Clientless only     :       0 :        301 :               5

    With client         :      23 :       1598 :              60 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       2 :         15 :               3

  IPsec Remote Access   :       0 :          0 :               0

  VPN Load Balancing    :       0 :          0 :               0

  Totals                :      25 :       1914

License Information:

  IPsec   :    250    Configured :    250    Active :      2    Load :   1%

  SSL VPN :    250    Configured :    250    Active :     23    Load :   9%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          2 :         15 :               3

  SSL VPN             :         23 :       1899 :              64

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :         25 :       1914


                      Active : Cumulative : Peak Concurrent

  IKE           :          2 :         15 :               3

  IPsec         :          5 :         64 :               6

  IPsecOverNatT :         10 :        167 :              11

  Clientless    :         23 :       1899 :              64

  SSL-Tunnel    :         23 :       3128 :              60

  DTLS-Tunnel   :          0 :          1 :               1

  Totals        :         63 :       5274

patoberli Wed, 07/10/2013 - 09:10
User Badges:
  • Bronze, 100 points or more

Try show vpn-ses svc

It seems that the command with show vpn-sess anyconnect is new since 8.4.x (which I use).

Otherwise in ASDM you can also well see it in the Monitoring -> VPN -> VPN Statistics -> Sessions and there select Anyconnect Client. Under Protocol Encryption should be written either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".

Dan Schauss Wed, 07/10/2013 - 10:14
User Badges:

Scheduling a Change to the firewall with our customer in the next few days.  Will post the speed results.

Dan Schauss Thu, 07/11/2013 - 06:59
User Badges:


The SSL AnyConnect client is not the limiting factor (given a fairly new PC running Win 7), circuit speed and the communication protocol (TLS vs DTLS) are.

Since the target SSL firewall sits behind an 'outside' firewall I had to add both an inbound and outbound rule for udp 443 on the 'outside' firewall.  Now users are connecting as DTLS.  Also, DTLS is enabled by default in the DfltGrpPolicy on the ASA.

Here are the Speed test results:

at 6:20am

Without SSL:

   Download: 50 Meg

   Upload: 4.9 Meg

With SSL, TLS:

   Download: 8.2 Meg

   Upload: 3.8 Meg


   Download: 47.8 Meg

   Upload: 4.8 Meg


Bel Marsad Mon, 07/22/2013 - 07:44
User Badges:


We migrated recently from IPSec to Anyconnect and I have exactly the same issue with our internet line 100Mbps :

We have ASA 5520 with IOS 8.4 (4) 9 and anyconnect client version 3.1.04059

  • •-          Test without SSL Anyconnect :


  • •-          Test with IPsec client:


  • •-          Test with Anyconnect SSL:


I tested a lot of different config (without compression, TLS, DTLS) but still have same issue, I used wire shark to see if my PC that connect by Anyconnect to our ASA use DTLS and it is the case, as our ASA is behind another FW, to be sure I also for testing I opened on our FW any to any to our ASA, so it sould not stop using DTLS but I only see SSL connection on my FW log.

So anyone else have another suggestion or solution ?

Thanks for your feedback

Dan Schauss Mon, 07/22/2013 - 08:03
User Badges:


So you added both an inbound and outbound rule for udp 443 on the 'outside' firewall. Not until I added the UDP rule did the Anyconnect client connect with DTLS.  You can verify how the AnyConnect user is connecting to the firewall using ASDM, you should see DTLS:

     Monitoring -> VPN -> VPN Statistics -> Sessions and there  select Anyconnect Client. Under Protocol Encryption should be written  either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".

Bel Marsad Mon, 07/22/2013 - 08:18
User Badges:

Yes, we have stat full FW and as I said on my previous post I put any to any and can see on the logs that UDP 443 used for my connection, in addition I sniffed the ASA inbound interface and can see that DTLS as encryption.

ASDM Monitoring -> VPN -> VPN Statistics -> Sessions can also see DTLS used for my connection...

But still have same issue.

What is strange is that till 25 or 30 Mbps internet line I have very few difference between IPsec/SSL anyconnect and without VPN, as soon as I use our 100Mbps or at my home with 60Mbps I have less that 40% of bandwidth.

Thanks for your help on that.


Bel Marsad Thu, 08/22/2013 - 02:53
User Badges:


Is there some one to help me with that ? may be someone from Cisco ?



This Discussion

Related Content