CSR 1000V on AWS SSLVPN very slow

scottramnitz · ‎07-30-2015

I have a CSR1000v in Amazon AWS on an EC2, and the SSLVPN speed is terribly slow. We can't get anything higher than 0.03mb/sec with a lot of packet loss. Pings are pretty good and consistent around 45ms without drops, however when we go to copy a file or use something like RDP over the SSLVPN, the pings go up to 150+ms and the connection slows down to a crawl. This is with just one user on the SSLVPN, and we plan for more than 200+.

I have the CSR connected to our internal private cloud, and a secondary elastic IP for access outside the cloud. I'm supplying a 192.168.200.0 address pool to the SSLVPN users, and I have an internal interface of 10.0.0.x. (Source and destination check are disabled on the EIP) We're using Radius for authentication, and SSL certificates on the SSLVPN. We also have the CSR managing several IPSEC tunnels to our other AWS regions and some physical sites. The site to site VPN's are working very well with acceptable speeds, it's just the SSLVPN that has the issue.

So far TAC has not been able to help us, so I thought I would reach out to the community for suggestions. Thanks in advance.

MARTIN CHONG · ‎09-16-2015

How is your CSR performing and what instance size are you using? (show proc cpu platform).

You may also need to make adjustments to your mtu and mss to take into account the Amazon SDN.

scottramnitz · ‎09-16-2015

In the end after many hours with TAC we ended up exchanging the CSR for ASAv which is working much better for us both as a VPN, and SSLVPN. DTLS on the ASAv is mostly where we see the increase for SSLVPN users.