Cisco 1941 SSLVPN speed issue

R4L · ‎07-09-2020

Hey all,

I've been stumped on this issue for a while now. We implemented a VPN with our Cisco 1941 router with AnyConnect, but the speeds are far from functional: 350kbps to 1.7mbps. Sometimes the connection just dips out and a re-connect is needed.

I've read that the 1941 supports 85mbps max on an encrypted tunnel unless a HSEC license is purchased. Since we can't even hit 2mbps, there must be something else wrong. I've followed some suggestions on this page but every change I've made has had no difference. I noticed that CPU usage tops at 100% when transferring any files while connected to the VPN. However, just browsing on our work network file shares there's barely a flinch. Both of these tests were done during full production at work.

I've replaced cables in our data closet, I've checked MTU sizes, I've monitored the VPN connections with the debug webvpn verbose command, disabled webvpn cef as per suggestion from the earlier linked website... I'm running out of options. We were going to purchase an ASA as we believed maybe the 1941 isn't powerful enough to host VPN sessions but documentation says otherwise.

Georg Pauwen · ‎07-09-2020

Hello,

post the full running configuration of your 1941...

R4L · ‎07-10-2020

Please see attached config.

Georg Pauwen · ‎07-10-2020

Hello,

apart from a lot of redundant stuff in your configuration, I noticed that your local IP pool does not match the split ACL:

--> ip local pool SSLVPN_POOL 10.0.4.1 10.0.4.50

--> svc split include acl 1

--> access-list 1 permit 10.0.0.0 0.0.3.255

10.0.4.1 thru 10.0.4.50 are not part of 10.0.0.0/22. You might want to change the pool addresses to something out of the range 10.0.0.1 - 10.0.3.254.

R4L · ‎07-11-2020

@georg See, we originally had that in our configuration but then clients who connected could not access our network's resources, only other machines inside the VPN pool. I was told to set the pool to something outside of the subnet because it would create its own route inside, which it does.

With that said, I should just be able to change the subnet to something wider right?

Georg Pauwen · ‎07-11-2020

Hello,

understood. You can just change access list 1 to:

access-list 1 permit 10.0.0.0 0.255.255.255

I am not sure though that solves the speed issue. There is a lot of redundant stuff in your configuration, I tried to clean it up and came up with the below, bare bone config. You might want to try this config, and see if it affects the speed:

Current configuration : 12950 bytes
!
! Last configuration change at 09:21:04 EST Fri Jul 10 2020 by
!
version 15.7
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname example
!
boot-start-marker
boot system slot1:c1900-universalk9-mz.SPA.157-3.M5.bin
boot-end-marker
!
logging buffered 10240
!
aaa new-model
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
aaa authentication login local_access local
aaa authorization auth-proxy default local
!
aaa attribute list SSLVPN
attribute type supplicant-group "SSLVPN"
!
aaa session-id common
!
no ip source-route
ip admission name IP-ADM-WEB-AUTH proxy http
!
no ip bootp server
ip domain name domainname.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
virtual-profile virtual-template 1
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://publicip:80
subject-name CN=example.domainname.com
subject-alt-name example.domainname.com
revocation-check none
rsakeypair TEST
!
crypto pki trustpoint TTSSL
enrollment url http://publicip:80
subject-name CN=example.domainname.com
subject-alt-name example.domainname.com
revocation-check none
rsakeypair TTSSLKey
!
crypto pki trustpoint TTSSL_Cert
enrollment selfsigned
serial-number
subject-name CN=example.domainname.com
subject-alt-name example.domainname.com
revocation-check crl
rsakeypair TTSSLKey
!
!
crypto pki certificate chain IOS-CA
certificate ca 01
308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
11310F30 0D060355 04031306 494F532D 4341301E 170D3230 30313037 31353034
35365A17 0D323330 31303631 35303435 365A3011 310F300D 06035504 03130649
4F532D43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A6B1 C2BD9A21 2454C8DF 2BA751C0 6706F473 B700BCD6 0D0A5BBA 2B7C2504
0C7C71FF D9064DC6 88434ECD A3078098 2D75F0F4 0624CC3E 473D6118 162CE11C
674D9FB4 76C023DF CBE2A33D 37C19117 38F44D28 69800A07 4C1B8DCA D3FB8437
ADEC34DB 81A211BD AC0E47C8 091CA1DD 3A1195AB 28E75A18 7D84454E 0EBF12ED
54170203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14DA9189 A0DFAC82
B59F50A8 BF423BFE EB02D46F 5D301D06 03551D0E 04160414 DA9189A0 DFAC82B5
9F50A8BF 423BFEEB 02D46F5D 300D0609 2A864886 F70D0101 04050003 81810085
FADCC380 EE90B01C 6339D2C9 04C0F9A8 64339D86 8AB7818D 7EC1A5F7 B896CDFA
014C14E7 253AA292 BB9B382E CC63B9E6 4ACDA3DE 0F310761 577C307A 093B438E
307BAEE2 61D02770 39EAD3C1 7D2D0E07 87209E3C 2F6ABF64 F9DD999D E47C2110
0C921A95 CD42B4BB 89C392EC 948AC09E 09F7770F 31897B45 86F4C81F 747552
quit
crypto pki certificate chain TEST
crypto pki certificate chain TTSSL
crypto pki certificate chain TTSSL_Cert
certificate self-signed 03
308203C2 308202AA A0030201 02020103 300D0609 2A864886 F70D0101 05050030
66312430 22060355 0403131B 74773139 34316E6F 7274682E 7472656E 746F6E74
6563682E 636F6D31 3E301206 03550405 130B464A 43323132 374C3233 31302806
092A8648 86F70D01 0902161B 74773139 34316E6F 7274682E 7472656E 746F6E74
6563682E 636F6D30 1E170D32 30303232 34323034 3232395A 170D3330 30313031
30303030 30305A30 66312430 22060355 0403131B 74773139 34316E6F 7274682E
7472656E 746F6E74 6563682E 636F6D31 3E301206 03550405 130B464A 43323132
374C3233 31302806 092A8648 86F70D01 0902161B 74773139 34316E6F 7274682E
7472656E 746F6E74 6563682E 636F6D30 82012230 0D06092A 864886F7 0D010101
05000382 010F0030 82010A02 82010100 B6526800 828111E3 A36AFA13 3D88B5BC
23A86F60 0C3921F7 6D61F0F5 66D80E01 8C86713E 6DF03068 09A8A271 C67100BE
7F1432F3 B9989EF2 78CDFD9C DCE35CBE 15DB7331 82E72623 83E460AE 27006B04
B8959B11 AEFDAE90 34BB1FCF 4A3B7F86 E51518A3 E8B2D6AD 95D0732B 48AD7D7A
3591CE86 6BCF5D6C AE02945A 328451C7 4CD26699 9DC62E87 3C372F57 4EEB9127
FAB75914 6F566AD9 FFC9C45A 2A5A0498 CB5A7ED1 590C6664 F54491A1 DB7EF8C7
C23F5927 B97E404B 6946A199 D5A99379 9BD6868B CDA2E418 D4EC76C6 CBEDEEC8
5D8862CF CA6BE65A EDA2AA4D 97168D54 FB85FE78 6EBF325B AC17951F 47A0AC00
6FEBF6EF FE48A12A 47DE8AF4 828839BB 02030100 01A37B30 79300F06 03551D13
0101FF04 05300301 01FF3026 0603551D 11041F30 1D821B74 77313934 316E6F72
74682E74 72656E74 6F6E7465 63682E63 6F6D301F 0603551D 23041830 168014B8
911BE84F F47B31C4 5F9CA456 FBDC00CD 69777A30 1D060355 1D0E0416 0414B891
1BE84FF4 7B31C45F 9CA456FB DC00CD69 777A300D 06092A86 4886F70D 01010505
00038201 01006CBC 8EE5E6DD FD9A512A 78A0D6E5 7F443331 5EBE8927 E3E5BEB0
94BB501C CFC909F3 0F2D02F4 EAC05E9A 2E0BF7C0 6A0768A2 8ABF0043 74C55349
2FB3A989 6E318025 A6611251 F1D03E0A 7B2C5C1C 5E6E1F43 CC912133 495554AC
4042C40D 03BD47E2 2EFB5A6B 2D0BA74A 47432EB2 40EE47C9 98D4918E 35F9A7F8
03CCCE66 F52C10EB D47AA22E 3EEACBC4 964C24DD FE815717 1AD6388D B640C39F
8D319866 46592A0C E9F81866 4A101E2F 3EC2E12F E1623714 202F60B1 27E4F8CC
274E397A E8C337BC 3E60633D EB591C37 B71ED868 99AD5ED6 D6D1DBCF FFF9D321
DD6E87BE 2F5B1537 B35805F0 9310AB83 E46808EB 60D8E69F 787159F1 7358D8F8
B2A3EDB4 7AC0
quit
license udi pid CISCO1941/K9 sn FJC2127L231
!
file privilege 14
!
redundancy
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.6.01098-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect profile SSL_profile flash:preferences_global.xml
!
crypto isakmp policy 1
!
interface Loopback0
ip address 172.16.1.1 255.255.255.192
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address publicip 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
!
ip local pool SSLVPN_POOL 10.0.4.1 10.0.4.50
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http access-class 18
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 publiciproute
ip ssh version 2
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Remote_SSH
remark Deny SSH cons
permit tcp host 10.0.0.237 any eq 22
permit tcp host 10.0.0.237 any eq telnet
permit tcp host 10.0.0.250 any eq 22
permit tcp host 10.0.0.250 any eq telnet
permit tcp host 10.0.0.235 any eq 22
permit tcp host 10.0.0.235 any eq telnet
!
logging trap debugging
logging source-interface GigabitEthernet0/0
logging host 10.0.3.187
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 23 permit 10.10.10.0 0.0.0.127
!
control-plane
!
privilege exec level 14 dir
privilege exec level 14 show file systems
privilege exec level 14 show file
privilege exec level 14 show region
privilege exec level 14 show ip dns view
privilege exec level 14 show ip dns
privilege exec level 14 show ip
privilege exec level 14 show license udi
privilege exec level 14 show license
privilege exec level 14 show running-config
privilege exec level 14 show logging
privilege exec level 14 show platform
privilege exec level 14 show
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad rlogin lapb-ta mop udptn v120
stopbits 1
line vty 0 4
access-class Remote_SSH in
privilege level 15
password 7 obfuscated
login authentication local_access
transport input telnet ssh
line vty 5 15
privilege level 15
transport input none
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.us.pool.ntp.org
time-range Workday
periodic weekdays 7:00 to 18:00
!
webvpn gateway SSLVPN_GATEWAY
ip address publicip port 443
http-redirect port 80
ssl trustpoint TTSSL_Cert
inservice
!
webvpn context SSL_Context
virtual-template 1
aaa authentication list SSLVPN_AAA
gateway SSLVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
functions svc-required
svc address-pool "SSLVPN_POOL" netmask 255.255.252.0
svc profile SSL_profile
svc split include acl 1
svc dns-server primary 10.0.0.50
svc dns-server secondary 10.0.0.65
hide-url-bar
default-group-policy SSL_Policy
!
end

R4L · ‎07-13-2020

Hmm, yeah. That doesn't seem to make a difference... We've even tried a replacement unit and the results are the same...

Could it be our SG500X-48p switch that we connect to to go out to the router? I'm at a complete loss as to why this is happening.

Georg Pauwen · ‎07-13-2020

Hello,

the switch is configured as layer 2 switch ? Unless something really weird has been configured on the switch, it should, in theory, not be the bottleneck. You could of course test with another device, such as a simple hub, if you have that available...

R4L · ‎07-14-2020

They're managed Layer 3 switches, but not configured with a next hop address or anything like that...