Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Degraded VPN Experience

We are having a strange problem that I can't seem to diagnoise with our VPN deployment. We currently have two different firewalls serving two different functions. One is our parimeter firewall that controls ingress and egress traffic to our corporate network and the other firewall is used for VPN (Anyconnect). Within our corporate network we default route out through our parimeter firewall. All web traffic is picked up via WCCP and redirected to our IRONPORT WSA server. This is done by a router prior to reaching our corporate firewall.

All inbound Anyconnect sessions are tunneled (default route tunneling on ASA) to the router adjacent to the ASA used for VPN. This router picks up any outbound (towards the Internet) traffic on port 443 or 80 and redirects via WCCP to IRONPORT. The problem I see (any many others) is the speed once connected to VPN is extremely degraded. Speedtests out to the Internet show roughly 2Mbs even with your slowest circuit is 50Mbps. For example, I'm not on VPN and go through a speed test, I get somewhere around 50Mb download, when i'm on the corporate LAN and go through a speedtest, our cicruit is 100Mbps so I get around 95-100Mbps as you would expect. However, when I'm at home and I connect to VPN using my 50Mbps connection, my speedtest drops from 50 to around 1-2Mbps -- No good!

It is important to not that I have taken WCCP and ironport out of the equation and I maintain the same horrible speeds. I have checked errors on interfaces I have captured via wireshark and googled but nothing really points me to anything definative. it is also important to note that my VPN connection comes in on one ASA, but leaves the network on a different ASA. The reply traffic return via the parimeter firewall then returns to me on the VPN firewall. Any thoughts or clues on what could be causing this problem?

Everyone's tags (6)
CreatePlease to create content