I have a client that is attempting to both firewall, and VPN (remote access and site to site) functions on a single 5510 unit. They seem to have problem when the Internet bandwidth becomes congested and the remote access VPN user suffer badly from packet loss. It gets to the point that remote access VPN clients have applications hang on them. While I do expect to have some packet loss and slow down when the Internet connection gets saturated it seems to be more severe on the VPN then the firewall traffic.
The other issue is that the client has a VPN 3000 sitting in parallel with the ASA and they plan to migrate users from it to the ASA but they believe something is wrong with the ASA. The VPN 3000 is connected to the same Internet connection and when the link becomes saturated the remote access users do not experience the same level of packet loss / slow downs / or application hanging on them.
First, did you verify that the ASA you bought could support the amount of users/traffic you have? The VPN users will always experience poorer performance than the internal users. This is because the OS prefers this traffic over VPN. Basically, if the firewall's resources are saturated, it begins limiting resources to "less important" stuff like VPN traffic and administrative connections. The last thing it will quit doind is passing inside to any traffic.
I wouldn't recommend adding the concentrator users until after you resolve the other problem. If you do a "show asp drop" on the ASA, do you see any of the counters going up very quickly (besides the matched deny rule one)? If so, you may have a configuration issue on your network. Also, you should do a "show interface" on the ASA and verify that the interfaces are not getting errors/collions.
Thanks for the reply. Yes the ASA should be to handle the traffic load and amount of VPN users.
It does react the way you stated. Meaning when the link gets saturated it prefers the "firewall" traffic over the VPN traffic. I would think that if the client believes that VPN traffic is of higher priority then firewall traffic then I should be "police" the firewall traffic or implement priority queueing for the VPN traffic.
Have you done either of these and achieved your desired goals?
Also do have any links to docs discussing the ASA preference to passing firewall traffic over VPN and other "less important" traffic?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...