[176784] in North American Network Operators' Group
Re: Cisco AnyConnect speed woes!
daemon@ATHENA.MIT.EDU (James Michael Keller)
Thu Dec 11 15:57:04 2014
X-Original-To: nanog@nanog.org
Date: Thu, 11 Dec 2014 15:55:09 -0500
From: James Michael Keller <jmkeller@houseofzen.org>
To: nanog@nanog.org
In-Reply-To: <CAJdNregeB5ANE-HVf7gYLX_i8jdpa7fb7GuZnkZwBLb4rhsS1A@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 12/09/2014 02:42 PM, Zachary McGibbon wrote:
> I'm looking for some input on a situation that has been plaguing our new
> AnyConnect VPN setup. Any input would be valuable, we are at a loss for
> what the problem is.
>
> We recently upgraded our VPN from our old Cisco 3000 VPN concentrators
> running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA
> active/standby pair.
>
> The big issue we are having is that many of our users are complaining of
> low speed when connected to the VPN. We have done tons of troubleshooting
> with Cisco TAC and we still haven't found the root of our problem.
>
> Some tests we have done:
>
> - We have tested changing MTU values
> - We have tried all combinations of encryption methods (SSL, TLS, IPSec,
> L2TP) with similar results
> - We have switched our active/standby boxes
> - We have tested on our spare 5545x box
> - We connected our spare box directly to our ISP with another IP address
> - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our
> IPS (HP Tipping Point)
> - We have bypassed our Shaper and our IPS
> - We made sure that traffic from the routers talking to our ASAs is
> synchronous, OSPF was configured to load balance but this has been changed
> by changing the costs on the links to the ASAs
> - We have verified with our two ISPs that they are not doing any kind of
> filtering or shaping
> - We have noticed that in some instances that if a user is on a low
> speed connection that their VPN speed gets cut by about 1/3. This doesn't
> seem normal that the VPN would use this much overhead
> - We do not have the issue when connecting to VPN directly on our own
> network, only connections from the Internet
>
> If you have any ideas on what we could try net, please let me know!
>
> - Zachary
What OS builds? At one point the code had an 8 packet hard coded
window per tcp flow, which capped ssl over tcp window size to about
5mbps depending on RTT. Recent 8 branches raised this to something
more reasonable that capped around 20 mbps. DTLS over udp and IPSEC
tunnels did not have this issue.
--
-James
