We are testing Cisco SSL VPN on the brand new 2821 running IOS Advanced IP Services version 15.1(2)T. AnyConnect client is 2.5.0217, and the group policy is configured for Full Tunnel option. Everything seems to be working fine on Windows, however, there is an issue on Mac OS X. After establishing a secure connection, AnyConnect sporadically stops passing any traffic to the remote site. It happens when users try to establish remote desktop connection to internal servers or browse corporate network shares. Next, after waiting for 5 minutes (default value for DPD), the router removes the non-responding peer, AnyConnect automatically re-establishes the connections, and the whole cycle starts again. Strangely enough, AnyConnect stays connected and continues to pass traffic if users don't attempt to connect to any remote resources (we tested by pinging corporate servers).
Debugging for webvpn “tunnel events” and “tunnel errors” is on, but there is no difference in messages that we receive from Windows or Mac clients.
Are there any known issues with the latest version of AnyConnect for Mac OS X that would cause instability like described above?
Every remote user is affected. We discovered that Windows clients are unstable as well. Two days ago I was able to connect and work remotely through SSL VPN for several hours, but most of the time it stops passing traffic and freezes local applications connected to remote resources within first 5 minutes. We use IPSec VPN on the same router as a backup, and clients have no problem maintaing remote connections for hours. I don't think that the issue is related to WAN connection, otherwise IPSec VPN would not work as well.
I had TAC case open for over 5 months and 4 technicians working on it to no avail. During my own troubleshooting and testing, I discovored that ISR routers have real performance issues with SSL VPN. In my lab I had two servers connected directly to the router (eth0 and eth1) and transferring 900 MB file through FTP. Below are my results (please note that the speed is in Megabytes per second, exactly as it is displayed in the FileZilla window):
Copying directly with no VPN – 21.1 MBps
IPSec VPN with AIM0 enabled – 11.5 MBps
IPSec VPN with AIM0 disabled, but onboard enabled – 4.5 MBps
IPSec VPN with software only encryption – 1.8 MBps
SSL VPN with AIM0 enabled – 1.7 MBps
SSL VPN with onboard acceleration – 1.0 MBps
SSL VPN with software only encryption – 1.0 MBps
Cisco couldn't provide any solution, so I we upgraded our existing SonicWall firewall.
Wells thats discouraging. My issue is connection reliability. If I saturate the ssl vpn pipe it literally just stops trasfering data. Never disconnects but just hangs. Also, when i do manage to pass a steady stream of data I experience high latency. Even when connected directly to the outside inferface. Maybe I should have went with an ASA. Btw, which sonicwall are you running?
There are other known issues using AnyConnect with ISR routers. I think you can make the tunnel stable by enabling QoS and limiting its bandwith to 8-10 Mbps. However, in our case we have DS3 with on option to upgrade to 100Mbps in the near future, so limiting the bandwith doesn't make sense. Cisco ISRs are designed for very small deployments, in all other cases you should go with ASA. I've learned it hard way. Our SonicWall is NSA 3500.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...