[176680] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Cisco AnyConnect speed woes!

daemon@ATHENA.MIT.EDU (Zachary McGibbon)
Tue Dec 9 15:20:09 2014

X-Original-To: nanog@nanog.org
In-Reply-To: <244fd40df6074e58b55631b179929227@pur-vm-exch13n1.ox.com>
Date: Tue, 9 Dec 2014 15:17:50 -0500
From: Zachary McGibbon <zachary.mcgibbon+nanog@gmail.com>
To: Matthew Huff <mhuff@ox.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

We are trying to use SSLVPN (udp 443) and results are really all over the
place.  Most of our complaints are users connecting on Teksavvy however we
haven't been able to reach anyone in their network team to find out if they
are doing any filtering or shaping on their side.

We don't have a lot of traffic coming through Cogent, most of the users are
local here in Montreal on either Bell or Videotron and they traverse
through the QIX (www.qix.ca)

On Tue, Dec 9, 2014 at 3:03 PM, Matthew Huff <mhuff@ox.com> wrote:

> Are you using SSLVpn or IPSEC with anyconnect? I have had more luck with
> performance with IPSEC than SSLVpn.
>
> Also, just because your ISP is saying that they aren't shaping/filtering,
> doesn't mean they aren't.
>
> We had major issues with users using AnyConnect when it was transversing
> Cogent. We were getting 5-10% packet loss (although the Cisco stats didn't
> show it), and it was choking on it.
>
> ----
> Matthew Huff             | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC       | Phone: 914-460-4039
> aim: matthewbhuff        | Fax:   914-694-5669
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Zachary McGibbon
> Sent: Tuesday, December 9, 2014 2:42 PM
> To: NANOG
> Subject: Cisco AnyConnect speed woes!
>
> I'm looking for some input on a situation that has been plaguing our new
> AnyConnect VPN setup.  Any input would be valuable, we are at a loss for
> what the problem is.
>
> We recently upgraded our VPN from our old Cisco 3000 VPN concentrators
> running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA
> active/standby pair.
>
> The big issue we are having is that many of our users are complaining of
> low speed when connected to the VPN.  We have done tons of troubleshooting
> with Cisco TAC and we still haven't found the root of our problem.
>
> Some tests we have done:
>
>    - We have tested changing MTU values
>    - We have tried all combinations of encryption methods (SSL, TLS, IPSec,
>    L2TP) with similar results
>    - We have switched our active/standby boxes
>    - We have tested on our spare 5545x box
>    - We connected our spare box directly to our ISP with another IP address
>    - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our
>    IPS (HP Tipping Point)
>    - We have bypassed our Shaper and our IPS
>    - We made sure that traffic from the routers talking to our ASAs is
>    synchronous, OSPF was configured to load balance but this has been
> changed
>    by changing the costs on the links to the ASAs
>    - We have verified with our two ISPs that they are not doing any kind of
>    filtering or shaping
>    - We have noticed that in some instances that if a user is on a low
>    speed connection that their VPN speed gets cut by about 1/3.  This
> doesn't
>    seem normal that the VPN would use this much overhead
>    - We do not have the issue when connecting to VPN directly on our own
>    network, only connections from the Internet
>
> If you have any ideas on what we could try net, please let me know!
>
> - Zachary
>

home help back first fref pref prev next nref lref last post