https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773008#M1097664 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1102856">@DaveNoonan26775</a> split tunneling was going to be my first suggestion.</P> <P>Is the FPR2120 doing other services that could be consuming the CPU? Or is this a dedicated VPN concentrator?</P> <P>The other suggestion is check the tunnel protocol which use lower overhead - DTLS 1.2.</P> <P>Have you seen this AnyConnect performance guide? <A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html</A></P> <P>&nbsp;</P> Fri, 10 Feb 2023 20:25:07 GMT Rob Ingram 2023-02-10T20:25:07Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773000#M1097663 <P>We have an ASA, actually an FPR-2120 running ASA code 9.14(2)4, terminating AnyConnect VPN.&nbsp; During an&nbsp;online all-hands meeting this device has previously gone to 90+%&nbsp; CPU and stayed there for the duration of the meeting which made it unusable for call center folks who were still working during the meeting.</P><P>I expect the first suggestion to be split-tunneling and we do have that in place for the meeting provider. However, it was in place during the last meeting (minus two subnets) and the CPU still maxed out. I find it doubtful that we happened to have a LOT of traffic on those two subnets.</P><P>Bigger firewalls are on order but not due till after the next meeting so I'm looking for any other options that might be available as a stop gap.</P><P>Thank you</P><P>&nbsp;</P> Fri, 10 Feb 2023 19:33:01 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773000#M1097663 DaveNoonan26775 2023-02-10T19:33:01Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773008#M1097664 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1102856">@DaveNoonan26775</a> split tunneling was going to be my first suggestion.</P> <P>Is the FPR2120 doing other services that could be consuming the CPU? Or is this a dedicated VPN concentrator?</P> <P>The other suggestion is check the tunnel protocol which use lower overhead - DTLS 1.2.</P> <P>Have you seen this AnyConnect performance guide? <A href="https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html</A></P> <P>&nbsp;</P> Fri, 10 Feb 2023 20:25:07 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773008#M1097664 Rob Ingram 2023-02-10T20:25:07Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773031#M1097666 <P>It's a dedicated AnyConnect box.&nbsp;</P><P>I'll check the link and the protocol, Thanks for those suggestions.</P><P>&nbsp;</P> Fri, 10 Feb 2023 21:29:21 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773031#M1097666 DaveNoonan26775 2023-02-10T21:29:21Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773034#M1097667 <P>Related question, the firewall is an HA pair so how much effort would be involved in moving it to active/active for VPN?<BR /><BR />I haven't made that change before and it just occurred to me so I'm off to the search engines but thought someone else might have experience with it.</P> Fri, 10 Feb 2023 21:31:55 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773034#M1097667 DaveNoonan26775 2023-02-10T21:31:55Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773051#M1097668 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1102856">@DaveNoonan26775</a>&nbsp;in that case consider reconfiguring the 2 ASAs using VPN load balancer. That will distribute the load evenly over the 2 devices.</P> <P><A href="https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/" target="_blank">https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/</A></P> <P>&nbsp;</P> Fri, 10 Feb 2023 21:45:26 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773051#M1097668 Rob Ingram 2023-02-10T21:45:26Z https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773058#M1097669 <P>I was just on that site reading their active/active article and I had also bumped into VPN load-balancing which I'd forgotten about.&nbsp; The joys of being a geek-of-all-trades, you do things and then forget how you did them or that you did them at all.&nbsp; I've learned to make notes.<BR /><BR />Thank you, Rob.&nbsp; I think vpn load-balancing is going to my answer.</P> Fri, 10 Feb 2023 21:48:57 GMT https://community.cisco.com/t5/network-security/reduce-cpu-usage-for-anyconnect-during-online-all-employee/m-p/4773058#M1097669 DaveNoonan26775 2023-02-10T21:48:57Z