cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1627
Views
0
Helpful
4
Replies

AnyConnect speed

neillix702
Level 1
Level 1

Hi folks, i have setup two AnyConnect profiles.  One profile is Split-Tunneling and the other is Tunnel all Networks(No Split).  Split-Tunneling speed is averaging 70 Mbps (Download), Tunnel all Networks speed is very very slowww (Average 1.83 Mbps download).  I can see that there will be performance difference but this is a big difference between the two.  Does anyone currently having this issue or is this normal?  Im running the ASA5520 with 1Gb Ram.

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Split tunnel means that traffic destined for the Internet is going directly from your PC towards the Internet, and tunnel all traffic means that traffic destined to the Internet is first encrypted, sends to the tunnel towards the ASA, gets decrypted, sent to the Internet, and the return traffic follows the same path, ie: Internet back towards the ASA, get encrypted, sends back towards the AnyConnect PC, decrypted before it completes.

As the traffic needs to traverse back to the ASA, it really depends on how busy the ASA is which also adds in to the performance/latency. And the speed on the ASA ISP also plays a role.

I understand that part or the concept.  the question i have is, why is it a big difference since the ASA is only hosting a couple of AnyConnect users.  Im currently testing AnyConnect in my lab and i dont have a whole lot traffic on this ASA.

What im also concerned is AnyConnect performance in comparison with IPSEC.  IPSEC is 10x faster than AnyConnect and i was wondering if anyone out there are experiencing any performance speed for AnyConnect.  i tried modified the MTU and speed still slow.

Hello,

How do you test your speed ?

As described above, in full tunnel mode you'll pass a lot of traffic in the tunnel, which can be broadcast from windows, background app and so on.

You might have as well stronger encryption algorithm.

A last thing to increase anyconnect speed, try to uses DTLS:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1059928

This will cause to rely on UDP instead of TCP for the svc, cause tcp in tcp can cause additional delays.

See explanation:

http://sites.inka.de/bigred/devel/tcp-tcp.html (1st google link tcp in tcp)

Hope this help.

Review Cisco Networking for a $25 gift card