02-10-2023 11:33 AM
We have an ASA, actually an FPR-2120 running ASA code 9.14(2)4, terminating AnyConnect VPN. During an online all-hands meeting this device has previously gone to 90+% CPU and stayed there for the duration of the meeting which made it unusable for call center folks who were still working during the meeting.
I expect the first suggestion to be split-tunneling and we do have that in place for the meeting provider. However, it was in place during the last meeting (minus two subnets) and the CPU still maxed out. I find it doubtful that we happened to have a LOT of traffic on those two subnets.
Bigger firewalls are on order but not due till after the next meeting so I'm looking for any other options that might be available as a stop gap.
Thank you
02-10-2023 12:25 PM
@DaveNoonan26775 split tunneling was going to be my first suggestion.
Is the FPR2120 doing other services that could be consuming the CPU? Or is this a dedicated VPN concentrator?
The other suggestion is check the tunnel protocol which use lower overhead - DTLS 1.2.
Have you seen this AnyConnect performance guide? https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html
02-10-2023 01:29 PM
It's a dedicated AnyConnect box.
I'll check the link and the protocol, Thanks for those suggestions.
02-10-2023 01:31 PM
Related question, the firewall is an HA pair so how much effort would be involved in moving it to active/active for VPN?
I haven't made that change before and it just occurred to me so I'm off to the search engines but thought someone else might have experience with it.
02-10-2023 01:45 PM
@DaveNoonan26775 in that case consider reconfiguring the 2 ASAs using VPN load balancer. That will distribute the load evenly over the 2 devices.
https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/
02-10-2023 01:48 PM
I was just on that site reading their active/active article and I had also bumped into VPN load-balancing which I'd forgotten about. The joys of being a geek-of-all-trades, you do things and then forget how you did them or that you did them at all. I've learned to make notes.
Thank you, Rob. I think vpn load-balancing is going to my answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide