05-12-2020 08:14 AM
Hello. We recently deployed and licensed an ASAv in Azure using the appliance available in the Market (verified that the Smart License for the ASAv10 took).
No changes were made to the default Azure hardware other than to connect the interfaces to various subnets.
The management/outside interface is connected to a net-new subnet, while the inside interface was connected to an existing subnet.
However, we are only seeing about 11Mbits/s up and down from AnyConnect clients (with respectable ping times in 30ms range). To try and rule out "other" issues, I also tested a Meraki Z3 to a vMX100 connected to the same subnet as the inside interface on the ASAv and was getting about 50Mbps (the reason for the different architecture is that the vMX100 supports a "hairpin" VPN with all traffic on a single interface, while the ASAv seems to require the two interfaces, at least with minimal configuration).
One thing I have not been able to determine is whether the 11Mbps for the AnyConnect clients is all that is available, or the limit for *each* session. I can say I've not seen any change (good or bad) now that more clients are connecting vs when it was just my testing.
Any suggestions would be very much appreciated.
Solved! Go to Solution.
05-12-2020 08:55 AM
If there's an Azure NSG in the flow make sure it's allowing udp/443 for DTLS. That could affect the DTLS issue (and thus performance).
The AnyConnect client optimization settings in the document I mentioned helped quite a bit with one of my customer's privately hosted ASAv instances.
05-12-2020 08:30 AM - edited 05-12-2020 08:32 AM
Hi,
What version of ASA and AnyConnect software are you running?
Are you using IPSec or SSL/TLS?
You will get the best performance using IPSec or DTLS 1.2 (DTLS rather than just TLS). DTLS 1.2 is support from ASA 9.10+ and AnyConnect 4.7+
Refer to this Cisco guide for optimising VPN performance.
HTH
05-12-2020 08:43 AM
Thanks - that actually makes sense, but points me to another problem that I had put on the back burner. I disabled DTLS because I was getting a reconnect after one minute and following these steps did *not* resolve the issue:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html
If you have any other advice on DTLS that would be great. If not, I'll go back to focusing that issue which will hopefully correct the performance one.
(fyi running ASA 9.14(1) and AnyConnect 4.8.03052)
05-12-2020 08:31 AM
What version are you running - ASAv and Anyconnect? Generally it helps if your have 9.12+ and 4.8 respectively so that you can use DTLS 1.2. You can check from the ASAv cli what's been negotiated:
show vpn-sessiondb detail anyconnect
There are some other tuning tricks you can do to get maximum performance:
05-12-2020 08:44 AM
05-12-2020 08:55 AM
If there's an Azure NSG in the flow make sure it's allowing udp/443 for DTLS. That could affect the DTLS issue (and thus performance).
The AnyConnect client optimization settings in the document I mentioned helped quite a bit with one of my customer's privately hosted ASAv instances.
05-12-2020 09:07 AM
That did it! I didn't realize DTLS was UDP. Updated the NSG rule for port 443 to allow TCP and UDP and I am getting 50Mbps on AnyConnect.
thank you again!
05-12-2020 11:05 PM
Great - I'm glad to hear that helped.
Add in those client optimization lines from the doc I referenced and you may get even better throughput.
ASAv10 (config) # anyconnect-custom-data TunnelOptimizationsEnabled False false anyconnect-custom-data TunnelOptimizationsEnabled True true webvpn anyconnect-custom-attr TunnelOptimizationsEnabled description Tunnel Optimizations Enabled group-policy <Group Policy Name> attributes anyconnect-custom TunnelOptimizationsEnabled value True
I'm told they will be built into AnyConnect 4.9 by default.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide