05-23-2010 05:47 PM - edited 02-21-2020 04:39 PM
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.
However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.
From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.
Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?
Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.
07-10-2013 09:10 AM
Try show vpn-ses svc
It seems that the command with show vpn-sess anyconnect is new since 8.4.x (which I use).
Otherwise in ASDM you can also well see it in the Monitoring -> VPN -> VPN Statistics -> Sessions and there select Anyconnect Client. Under Protocol Encryption should be written either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".
07-10-2013 10:14 AM
Scheduling a Change to the firewall with our customer in the next few days. Will post the speed results.
07-11-2013 06:59 AM
Success
The SSL AnyConnect client is not the limiting factor (given a fairly new PC running Win 7), circuit speed and the communication protocol (TLS vs DTLS) are.
Since the target SSL firewall sits behind an 'outside' firewall I had to add both an inbound and outbound rule for udp 443 on the 'outside' firewall. Now users are connecting as DTLS. Also, DTLS is enabled by default in the DfltGrpPolicy on the ASA.
Here are the Speed test results:
at 6:20am
Without SSL:
Download: 50 Meg
Upload: 4.9 Meg
With SSL, TLS:
Download: 8.2 Meg
Upload: 3.8 Meg
With SSL, DTLS:
Download: 47.8 Meg
Upload: 4.8 Meg
Thanks
07-22-2013 07:44 AM
Hello,
We migrated recently from IPSec to Anyconnect and I have exactly the same issue with our internet line 100Mbps :
We have ASA 5520 with IOS 8.4 (4) 9 and anyconnect client version 3.1.04059
90Mbps
85Mbps
35Mbps
I tested a lot of different config (without compression, TLS, DTLS) but still have same issue, I used wire shark to see if my PC that connect by Anyconnect to our ASA use DTLS and it is the case, as our ASA is behind another FW, to be sure I also for testing I opened on our FW any to any to our ASA, so it sould not stop using DTLS but I only see SSL connection on my FW log.
So anyone else have another suggestion or solution ?
Thanks for your feedback
07-22-2013 08:03 AM
Bel,
So you added both an inbound and outbound rule for udp 443 on the 'outside' firewall. Not until I added the UDP rule did the Anyconnect client connect with DTLS. You can verify how the AnyConnect user is connecting to the firewall using ASDM, you should see DTLS:
Monitoring -> VPN -> VPN Statistics -> Sessions and there select Anyconnect Client. Under Protocol Encryption should be written either "SSL-Tunnel" or "SSL-Tunnel DTLS-Tunnel".
07-22-2013 08:18 AM
Yes, we have stat full FW and as I said on my previous post I put any to any and can see on the logs that UDP 443 used for my connection, in addition I sniffed the ASA inbound interface and can see that DTLS as encryption.
ASDM Monitoring -> VPN -> VPN Statistics -> Sessions can also see DTLS used for my connection...
But still have same issue.
What is strange is that till 25 or 30 Mbps internet line I have very few difference between IPsec/SSL anyconnect and without VPN, as soon as I use our 100Mbps or at my home with 60Mbps I have less that 40% of bandwidth.
Thanks for your help on that.
Bel
08-22-2013 02:53 AM
Hello,
Is there some one to help me with that ? may be someone from Cisco ?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: