Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2446
Views
0
Helpful
7
Replies

ASAv in Azure Bandwidth Issue

Go to solution
j-couture
Level 1
Level 1

‎05-12-2020 08:14 AM

Hello. We recently deployed and licensed an ASAv in Azure using the appliance available in the Market (verified that the Smart License for the ASAv10 took). 

 

No changes were made to the default Azure hardware other than to connect the interfaces to various subnets.

 

The management/outside interface is connected to a net-new subnet, while the inside interface was connected to an existing subnet.

 

However, we are only seeing about 11Mbits/s up and down from AnyConnect clients (with respectable ping times in 30ms range). To try and rule out "other" issues, I also tested a Meraki Z3 to a vMX100 connected to the same subnet as the inside interface on the ASAv and was getting about 50Mbps (the reason for the different architecture is that the vMX100 supports a "hairpin" VPN with all traffic on a single interface, while the ASAv seems to require the two interfaces, at least with minimal configuration). 

 

One thing I have not been able to determine is whether the 11Mbps for the AnyConnect clients is all that is available, or the limit for *each* session. I can say I've not seen any change (good or bad) now that more clients are connecting vs when it was just my testing.

 

Any suggestions would be very much appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to j-couture

‎05-12-2020 08:55 AM

If there's an Azure NSG in the flow make sure it's allowing udp/443 for DTLS. That could affect the DTLS issue (and thus performance).

The AnyConnect client optimization settings in the document I mentioned helped quite a bit with one of my customer's privately hosted ASAv instances.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎05-12-2020 08:30 AM - edited ‎05-12-2020 08:32 AM

Hi,
What version of ASA and AnyConnect software are you running?
Are you using IPSec or SSL/TLS?

You will get the best performance using IPSec or DTLS 1.2 (DTLS rather than just TLS). DTLS 1.2 is support from ASA 9.10+ and AnyConnect 4.7+

 

Refer to this Cisco guide for optimising VPN performance.

HTH

0 Helpful

Go to solution
j-couture
Level 1
Level 1
In response to Rob Ingram

‎05-12-2020 08:43 AM

Thanks - that actually makes sense, but points me to another problem that I had put on the back burner. I disabled DTLS because I was getting a reconnect after one minute and following these steps did *not* resolve the issue:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html

If you have any other advice on DTLS that would be great. If not, I'll go back to focusing that issue which will hopefully correct the performance one.

 

(fyi running ASA 9.14(1) and AnyConnect 4.8.03052)

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-12-2020 08:31 AM

What version are you running - ASAv and Anyconnect? Generally it helps if your have 9.12+ and 4.8 respectively so that you can use DTLS 1.2. You can check from the ASAv cli what's been negotiated:

show vpn-sessiondb detail anyconnect

There are some other tuning tricks you can do to get maximum performance:

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579#toc-hId--122729988

0 Helpful

Go to solution
j-couture
Level 1
Level 1
In response to Marvin Rhoads

‎05-12-2020 08:44 AM

Thanks - that actually makes sense, but points me to another problem that I had put on the back burner. I disabled DTLS because I was getting a reconnect after one minute and following these steps did *not* resolve the issue:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html

If you have any other advice on DTLS that would be great. If not, I'll go back to focusing that issue which will hopefully correct the performance one.


(fyi running ASA 9.14(1) and AnyConnect 4.8.03052)
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to j-couture

‎05-12-2020 08:55 AM

If there's an Azure NSG in the flow make sure it's allowing udp/443 for DTLS. That could affect the DTLS issue (and thus performance).

The AnyConnect client optimization settings in the document I mentioned helped quite a bit with one of my customer's privately hosted ASAv instances.

0 Helpful

Go to solution
j-couture
Level 1
Level 1
In response to Marvin Rhoads

‎05-12-2020 09:07 AM

That did it! I didn't realize DTLS was UDP. Updated the NSG rule for port 443 to allow TCP and UDP and I am getting 50Mbps on AnyConnect.

 

thank you again!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to j-couture

‎05-12-2020 11:05 PM

Great - I'm glad to hear that helped.

Add in those client optimization lines from the doc I referenced and you may get even better throughput.

ASAv10 (config) #
anyconnect-custom-data TunnelOptimizationsEnabled False false
anyconnect-custom-data TunnelOptimizationsEnabled True true

webvpn
   anyconnect-custom-attr TunnelOptimizationsEnabled description Tunnel Optimizations Enabled

group-policy <Group Policy Name> attributes
   anyconnect-custom TunnelOptimizationsEnabled value True

I'm told they will be built into AnyConnect 4.9 by default.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card