Performance : Anyconnect vs. IPSEC - Page 2

Darthkim_2 · ‎05-23-2010

Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.

However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.

From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.

Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?

Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.

patoberli · ‎07-10-2013

Try show vpn-ses svc

It seems that the command with show vpn-sess anyconnect is new since 8.4.x (which I use).

Otherwise in ASDM you can also well see it in the Monitoring -> VPN -> VPN Statistics -> Sessions and there select Anyconnect Client. Under Protocol Encryption should be written either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".

Dan Schauss · ‎07-10-2013

Scheduling a Change to the firewall with our customer in the next few days. Will post the speed results.

Dan Schauss · ‎07-11-2013

Success

The SSL AnyConnect client is not the limiting factor (given a fairly new PC running Win 7), circuit speed and the communication protocol (TLS vs DTLS) are.

Since the target SSL firewall sits behind an 'outside' firewall I had to add both an inbound and outbound rule for udp 443 on the 'outside' firewall. Now users are connecting as DTLS. Also, DTLS is enabled by default in the DfltGrpPolicy on the ASA.

Here are the Speed test results:

at 6:20am

Without SSL:

Download: 50 Meg

Upload: 4.9 Meg

With SSL, TLS:

Download: 8.2 Meg

Upload: 3.8 Meg

With SSL, DTLS:

Download: 47.8 Meg

Upload: 4.8 Meg

Thanks

Bel Marsad · ‎07-22-2013

Hello,

We migrated recently from IPSec to Anyconnect and I have exactly the same issue with our internet line 100Mbps :

We have ASA 5520 with IOS 8.4 (4) 9 and anyconnect client version 3.1.04059

•- Test without SSL Anyconnect :

90Mbps

•- Test with IPsec client:

85Mbps

•- Test with Anyconnect SSL:

35Mbps

I tested a lot of different config (without compression, TLS, DTLS) but still have same issue, I used wire shark to see if my PC that connect by Anyconnect to our ASA use DTLS and it is the case, as our ASA is behind another FW, to be sure I also for testing I opened on our FW any to any to our ASA, so it sould not stop using DTLS but I only see SSL connection on my FW log.

So anyone else have another suggestion or solution ?

Thanks for your feedback

Dan Schauss · ‎07-22-2013

Bel,

So you added both an inbound and outbound rule for udp 443 on the 'outside' firewall. Not until I added the UDP rule did the Anyconnect client connect with DTLS. You can verify how the AnyConnect user is connecting to the firewall using ASDM, you should see DTLS:

Monitoring -> VPN -> VPN Statistics -> Sessions and there select Anyconnect Client. Under Protocol Encryption should be written either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".

Bel Marsad · ‎07-22-2013

Yes, we have stat full FW and as I said on my previous post I put any to any and can see on the logs that UDP 443 used for my connection, in addition I sniffed the ASA inbound interface and can see that DTLS as encryption.

ASDM Monitoring -> VPN -> VPN Statistics -> Sessions can also see DTLS used for my connection...

But still have same issue.

What is strange is that till 25 or 30 Mbps internet line I have very few difference between IPsec/SSL anyconnect and without VPN, as soon as I use our 100Mbps or at my home with 60Mbps I have less that 40% of bandwidth.

Thanks for your help on that.

Bel

Bel Marsad · ‎08-22-2013

Hello,

Is there some one to help me with that ? may be someone from Cisco ?

Thanks