cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1586
Views
0
Helpful
5
Replies

Hairpinning on Cisco ASA - VPN Performance Considerations

tladd0001
Level 1
Level 1

Hello,

 

We have many employees now working from home and connecting to the VPN (using Cisco AnyConnect).  We are running ASA version 9.8.  We have blocked split tunneling.

 

Typical VPN usage is to access internal applications and file servers.  However, with so many folks at home complaining about having to disconnect the VPN to access the Internet, we are considering hairpinning.  My concern is that all VPN sessions are coming in through a 10m data circuit and bandwidth utilization is very high.  If we allow hairpinning of Internet traffic through the same firewall interface, will I see a degradation of performance on the VPN because of additional bandwidth utilization?  Also, could there be a performance hit on the ASA device with all of the NAT'ing work? 

 

Thanks in advance for your counsel.

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   With the given parameters, if you have a problem, is gonna be BW related, not ASA performance related.

 

Regards,

Cristian Matei.

Thank you for your reply.  So I should expect to see higher circuit utilization (and potential performance degradation) with Internet traffic coming in and out the same interface, correct?

Hi,

 

    What you add now, is ingress/egress Internet traffic on that interface for the VPN users. If you don't want to risk a possible scenario were everything perfumes poorly, do the following:

              - consider taking into account split-tunnelling; if this is not an option, see below

              - monitor the ASA's egress interface to see what is the PEAK BW you get with the current settings, move over just  couple of users to the new VPN with also Internet access, see via monitoring what is the growth; afterwards you'll be able to predict if you have enough BW or not to accommodate all of your users

 

What is the ASA HW model?

Regards,

Cristian Matei.

Thanks for that suggestion.  I will look into doing that.  We have a 5516-X device.

Hi,

 

   Yes, if there will be a problem, it will be with not enough BW.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: