- Cisco Community
- Technology and Support
- Security
- VPN
- Cisco ASA vpn tunnel performance problems
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco ASA vpn tunnel performance problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 08:30 AM
Hi,
We have 2x Asa5520 in failover with version 8.3.1.
We configured the ssl vpn clients connections, once connected they will use the ASA Internet connection (no split tunneling).
The problem is that even if we have a 5mbps ISP connection the clients are not able to download more then 0.5 mbps....
We try to do some tuning on the ssl vpn client configuration (no compression, mtu size, no dtls) and we upgraded the anyconnect client to the latest 2.5.1025 and we use 8.3.1 as the ASA image.
We try also to use the IPSEC client but with the same results so it seems a limitation on the ASA itself.
Does anyone know if there are some limits about this configurations?
Thank you.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 09:15 AM
is the issue only with vpn clients or even the internal users
what is the speed that internal users get against vpn client users
also please paste the configuration of your asa if possible
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 09:20 AM
the problem is only related to vpn clients, internal clients are downloading correctly.
unfortunately at the moment I can't upload the configuration, but I don't have any protocol inspection activated, any qos, any ip audit.
do you have an idea why this happens?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 10:01 AM
Hey,
Does the ASA have a 5Mbps link or is it the internet connection of the clients that is 5Mbps?
Regards,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 12:37 PM
Hey,
asa is connected to a cisco giga switch, 5mbps is the ISP connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 01:39 PM
Try having them download a local document (something on your network) as opposed to going out to the net and see if there's a difference. Try to narrow down if its local to your network or something when trying to access the intrawebs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 05:39 PM
So the ASAs internet connection is 5Mbps. What about the VPN client's internet connection?
Regards,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2010 11:29 PM
VPN client connection is around 5 to 20 mbps.
This is the configuration of my ASA in labo that have the same problem
ASA Version 8.2(3)
!
hostname asa5510
domain-name test.labo
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group xxx
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.145.140.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.2.3 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.145.140.200
domain-name nxo.labo
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service rdp tcp
port-object eq 3389
object-group service ftp tcp
port-object eq ftp
object-group service RDP-tcp5900 tcp
port-object eq 5900
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service tftp_cisco tcp-udp
description tftp_cisco
port-object eq 150
object-group service skinny tcp
port-object eq 2000
object-group service tcp_2443 tcp
port-object eq 2443
object-group service tcp_3804 tcp
port-object eq 3804
object-group service tcp_5061 tcp
port-object eq 5061
object-group service udp_real_time udp
port-object range 1024 65535
object-group service tftp_150 udp
port-object eq 150
object-group service tcp_8443 tcp
port-object eq 8443
access-list inside_access_in extended permit ip any any log debugging
access-list inside_access_in extended permit icmp any any log debugging
access-list inside_access_in extended permit ip 1.1.1.0 255.255.255.240 any log
access-list outside_access_in extended permit tcp any host x.x.x.x object-group RDP
access-list outside_access_in extended permit tcp any host x.x.x.x object-group RDP log warnings
access-list outside_access_in extended permit tcp host x.x.x.x host x.x.x.x object-group ftp log warnings
access-list outside_access_in extended permit tcp host x.x.x.x host x.x.x.x object-group tcp_8443 log
access-list outside_access_in extended permit icmp any any log warnings
access-list outside_access_in extended permit ip pippo 255.255.255.0 10.145.140.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list test-ospedale_splitTunnelAcl standard permit host 192.168.1.10
access-list outside_nat0_outbound extended permit ip 10.145.140.0 255.255.255.0 Home_Gabriel 255.255.255.0
access-list outside_nat0_outbound_1 extended permit ip 10.145.140.0 255.255.255.0 Home_Gabriel 255.255.255.0
access-list outside_nat0_outbound_2 extended permit ip 10.145.140.0 255.255.255.0 any
access-list Ospedale_splitTunnelAcl standard permit Home_Gabriel 255.255.255.0
access-list DMZ1_access_in extended permit ip any any
access-list DMZ1_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.145.140.0 255.255.255.0 1.1.1.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 1.1.1.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.145.140.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list RAS-IPSEC_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.145.140.0 255.255.255.0 1.1.1.0 255.255.255.240
access-list dmz_nat0_outbound extended permit ip any 1.1.1.0 255.255.255.240
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list IPHONE_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list IPHONE_splitTunnelAcl_1 standard permit 10.145.140.0 255.255.255.0
access-list RAS-IPSEC-NXO_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list IPSEC-NXO_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list dap extended deny ip 1.1.1.0 255.255.255.240 host 10.145.140.200
access-list dmz_access_in extended permit ip host xxxx any
access-list dmz_access_in extended permit icmp any any echo-reply
access-list ipsec-nxo_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
access-list iphone_splitTunnelAcl standard permit 10.145.140.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list test message 101001
logging buffered debugging
logging asdm debugging
logging mail emergencies
logging from-address asa@nxo.labo
flow-export destination inside 10.145.140.200 9996
mtu outside 1492
mtu inside 1500
mtu dmz 1500
ip local pool Pool-Any-connect-clients 10.145.140.220-10.145.140.230 mask 255.255.255.0
ip local pool pool-ras-vpn 1.1.1.1-1.1.1.10 mask 255.255.255.0
ip audit info action
ip audit attack action
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (outside) 101 1.1.1.0 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.145.140.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 101 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 10.145.140.200 3389 netmask 255.255.255.255
static (dmz,outside) x.x.x.x test netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Accesso negato da DAP"
dynamic-access-policy-record DAP-NOT-SECURE
user-message "Accesso AUTORIZZATO come NON-SECURE"
network-acl dap
priority 10
dynamic-access-policy-record DAP-SECURE
user-message "Accesso autorizzato come SECURE"
priority 5
dynamic-access-policy-record Iphone
user-message "Abilitato come IPHONE"
priority 20
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.128 outside
snmp-server host inside 10.145.140.200 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa5510
keypair AnyConnect
crl configure
crypto ca server
issuer-name cn=asa5510
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
308201fd 30820166 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
12311030 0e060355 04031307 61736135 35313030 1e170d31 30303831 37303930
3331325a 170d3133 30383136 30393033 31325a30 12311030 0e060355 04031307
61736135 35313030 819f300d 06092a86 4886f70d 01010105 0003818d 00308189
02818100 c1b7229e e8a6c79f 1819090a 696850cd 6c2cb69e 673a5412 264c41e7
89cd23e5 ae15fbdb 8c3f250d e4dbaed9 8bc3153f 7b08df43 f23c2e69 bb30a2d0
4119a38b 05408f98 3bdd742b c9ef1948 3cc7c139 b8e5be20 d02d8084 a802a175
18e32c3a 9aa804b9 dff08019 cb304f8e 68ab1d89 50f547da b9d9452b 0e768335
988431e7 02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e
0603551d 0f0101ff 04040302 0186301f 0603551d 23041830 16801489 0805e065
d2c10288 6d635957 8426eab5 c55ff930 1d060355 1d0e0416 04148908 05e065d2
c102886d 63595784 26eab5c5 5ff9300d 06092a86 4886f70d 01010405 00038181
00b08ef4 087dec4a 96558ac9 7c6a8bc6 91b6ce5a 6cc44f84 33b29267 4252c253
5eb45f1c 3215489d c8e062f7 8d430149 36a3a203 e76a98b4 aa489505 6558fd82
da073731 062b8069 16f4329b 2216812d 6b2463b4 84ad8ea7 eaee003d 10464a16
3cd02943 4fb37438 473f7493 95bb7667 661a7c8f 50319b10 b51e4c8e c00181c4 78
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate b3506a4c
308201cb 30820134 a0030201 020204b3 506a4c30 0d06092a 864886f7 0d010104
0500302a 3110300e 06035504 03130761 73613535 31303116 30140609 2a864886
f70d0109 02160761 73613535 3130301e 170d3130 30383137 30393034 35315a17
0d323030 38313430 39303435 315a302a 3110300e 06035504 03130761 73613535
31303116 30140609 2a864886 f70d0109 02160761 73613535 31303081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 81810098 d9de0957 dff86ebf
73609115 cc51e7d9 892b39a6 56fb7f4e 26e8f309 47ba00f4 d90dc81e 2606827a
47edc204 702e22f9 aa8ef4cc a051ad0b 3989ac7c ad512e92 1cdedb07 b3562953
9d2b3659 a5cee4f6 8ea5c797 10719c64 d39fd6b7 2b12028c b2a46e3b 20e3d495
ae88306b d5b17c54 c038c186 a1106dd8 f9b8ae5c b2dead02 03010001 300d0609
2a864886 f70d0101 04050003 8181007e 34a859f9 fb74ff92 df7e803a 4e9c0a0f
c302fe76 22b38001 507d3a70 850214d3 d47b4ea5 bdfa4aac 0819df7d a46d1706
90421412 19dab4bc 18bc79fa 07c1909c b3af9d9a 457c9301 2b34723c 5ac1e1ce
70a9e195 ccdfb349 43651bbf 11c8fe3b 4d4fc4da 77912169 19f08a76 e35f9ded
47a402a8 50ba91d9 d0cb33bc 263981
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 194.230.70.60 255.255.255.255 outside
ssh 217.26.32.0 255.255.255.128 outside
ssh timeout 30
console timeout 0
vpdn group xxxx request dialout pppoe
vpdn group xxxx localname 1111@pippo.ch
vpdn group xxxx ppp authentication chap
vpdn username 1111@pippo.ch password *****
dhcpd option 150 ip 10.145.140.190
!
dhcpd address 10.145.140.10-10.145.140.20 inside
dhcpd dns 4.4.4.4 8.8.8.8 interface inside
dhcpd option 150 ip 10.145.140.190 interface inside
dhcpd enable inside
!
ntp server 129.132.2.21 source outside prefer
webvpn
enable outside
csd image disk0:/csd_3.5.1077-k9.pkg
svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 2
svc enable
port-forward test_smtp 2300 10.145.140.200 smtp test smtp
tunnel-group-list enable
smart-tunnel list Wordpad Outlook "C:\Program Files\Outlook Express\msimn.exe" platform windows
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.145.140.200 195.186.1.110
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
wins-server value 3.3.3.3
dns-server value 8.8.8.8 4.4.4.4
vpn-tunnel-protocol l2tp-ipsec
webvpn
svc ask none default webvpn
group-policy iphone internal
group-policy iphone attributes
dns-server value 195.186.1.110
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value iphone_splitTunnelAcl
group-policy ANYCONNECT-NXO internal
group-policy ANYCONNECT-NXO attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
split-tunnel-network-list value RAS-IPSEC_splitTunnelAcl
address-pools value pool-ras-vpn
webvpn
svc mtu 1200
svc compression none
svc df-bit-ignore enable
svc routing-filtering-ignore enable
group-policy PORTAL-NXO internal
group-policy PORTAL-NXO attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value CSE-Bookmarks
port-forward enable test_smtp
smart-tunnel enable Wordpad
group-policy client-anyconnect internal
username acle password YFeX2mne2ZeypCOc encrypted
username admin password z7q1t//z1Znaaaze encrypted privilege 15
username admin attributes
service-type admin
webvpn
customization value DfltCustomization
username iphone password fOIfF8Cu5/uc66Uy0FRq1g== nt-encrypted
username nextiraone password JmEZMaUV4hjr2yq9 encrypted
username b-source password qjDU0KqgYEmzDsb9 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool pool-ras-vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool pool-ras-vpn
tunnel-group iphone type remote-access
tunnel-group iphone general-attributes
address-pool pool-ras-vpn
default-group-policy iphone
tunnel-group iphone ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 15 retry 2
tunnel-group PORTAL-NXO type remote-access
tunnel-group PORTAL-NXO general-attributes
default-group-policy PORTAL-NXO
tunnel-group PORTAL-NXO webvpn-attributes
group-url https://1.1.1.1/portal enable
group-url https://pippo.ch/portal enable
tunnel-group ANYCONNECT-NXO type remote-access
tunnel-group ANYCONNECT-NXO general-attributes
default-group-policy ANYCONNECT-NXO
tunnel-group ANYCONNECT-NXO webvpn-attributes
group-url https://1.1.1.1/anyconnect enable
group-url https://cse.comsulta.ch/anyconnect enable
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect ftp NO_GET
parameters
mask-banner
mask-syst-reply
match request-command get
reset log
policy-map global-policy
class global-class
inspect xdmcp
inspect icmp error
class class-default
flow-export event-type all destination 10.145.140.200
!
service-policy global-policy global
smtp-server 1.1.1.1
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
privilege cmd level 5 mode route-map command set
privilege cmd level 5 mode mpf-policy-map-class command set
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:54e5dfcf97e62726dfc1fdc97be7cac7
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide