poor anyconnect speed

ino · ‎09-15-2022

if i connect to my home network with AnyConnect i get really poor download speeds

of 1.5Mbps (trying to watch a movie stream)

disconnect from the vpn and use a forwarded port i get the expected 15Mbps speed

where could the problem be thats a difference of x10

i not really know where i should start looking / debugging

the router is an isr c1111-p4lteea

Georg Pauwen · ‎09-15-2022

Hello,

could be MTU related. Can you post the running configuration (sh run) of your C1111 ?

ino · ‎09-15-2022

i am also just reading up on mtu

could that really cause such a performance hit? 10 times faster over port forwarding vs vpn tunnel? O.O

it seems that the lte connection has an mtu of 1480

at least thats what the mikrotik modem tells me which is passing through the internet to the c1111

the gig interface to which the lte is passed through has an mtu of 1500

what really confusing me is whit the build in modem i get down 10-45Mbps and up 1-5Mbps

with the mikrotik i get down 10-45Mbps and up 5-25Mbps

but in bot cases i get a more or less constant 1.2-1.5Mbps on the vpn tunel

i can post the running-config its just a couple of hundred lines whit a load of (probably) unrelated entries

i will try to strip it down to a more handy format

Richard Burts · ‎09-15-2022

There are many things that we do not know about your environment and some of them might impact our advice. Based on what we know so far this is my best guess: one of the things you specify in setting up AnyConnect is what traffic is to be sent using the vpn. One choice is to send all traffic over the vpn. Another choice is to send only traffic from your home network to some networks (perhaps the network where you are employed). If you choose to send all traffic over the vpn (and my guess is that is what you set up) then your streaming goes from your computer to your router, from your router to the vpn gateway (your employer), from the gateway to its Internet connection, and then to the streaming source. And the streaming traffic will take the same path back to you. Without the vpn running then your streaming goes from your computer to your router, from your router to the Internet, and then to the streaming source. And the streaming traffic will take the same path back to you. The more complicated path might account for the x10 difference.

HTH

Rick

ino · ‎09-15-2022

internet is on GigabitEthernet0/0/0 coming from a mikrotik lte modem

Actual MTU		1480
L2 MTU

thats in the gui of it not comfortable whit the cli of it in the moment

thats the striped down config of the c1111 i let anything relevant in it (i hoppe) and things i dont know what they do

platform hardware throughput crypto 150000
!
aaa new-model
!
aaa authorization network IKEv2_GROUP_AUTHZ local 
!
aaa session-id common
clock timezone SST 2 0
!
subscriber templating
! 
multilink bundle-name authenticated
!
crypto pki server VPN_CA
 no database archive
 grant auto
 eku server-auth client-auth 
!
crypto pki trustpoint VPN_CA
 revocation-check crl
 rsakeypair VPN_CA
!
crypto pki trustpoint VPNSERVERCERT
 enrollment url http://10.0.0.1:80
 subject-name CN=vpn.xxx.buzz
 revocation-check none
 rsakeypair VPNSERVERCERT
!
crypto pki trustpoint xxx
 enrollment mode ra
 enrollment url http://ca.xxx.com:80/certsrv/mscep/mscep.dll
 fqdn c1111.xxx.com
 subject-name CN=c1111.xxx.com,O=xxx,OU=CORE DEVICE
 subject-alt-name c1111.xxx.com
 revocation-check none
 rsakeypair c1111
!
!
!
crypto pki certificate map CERT_MAP 10
 name co xxx
 issuer-name co xxx
!
crypto pki certificate chain VPN_CA
 certificate ca 01
  30820300 308201E8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  	quit
crypto pki certificate chain VPNSERVERCERT
 certificate 02
  30820334 3082021C A0030201 02020102 300D0609 2A864886 F70D0101 05050030 
  	quit
 certificate ca 01
  30820300 308201E8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  	quit
crypto pki certificate chain xxx
 certificate ca 57974CA27C57AEA340FB4AEBF0E596BA
  3082035D 30820245 A0030201 02021057 974CA27C 57AEA340 FB4AEBF0 E596BA30 
  	quit
!
diagnostic bootup level complete
!
spanning-tree extend system-id
mac address-table aging-time 0
errdisable recovery cause psecure-violation
errdisable recovery interval 30
!
crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY 
 pool VPNPOOL
 dns 10.0.0.1 10.0.10.10
 netmask 255.255.255.0
 route set access-list split_tunel
!
crypto ikev2 proposal default
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 14 19
!
crypto ikev2 policy default
 match fvrf any
 proposal default
!
!
crypto ikev2 profile IKEv2_PROFILE
 match certificate CERT_MAP
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint VPNSERVERCERT
 pki trustpoint xxx
 aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
 virtual-template 1
 reconnect timeout 900
!
no crypto ikev2 http-url cert
!
controller Cellular 0/2/0
 lte sim data-profile 2 attach-profile 2 slot 1
 no lte gps enable
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
vlan internal allocation policy ascending
! 
crypto logging session
crypto logging ezvpn
crypto logging ikev2
!
crypto ipsec profile IPSEC_PROFILE
 set ikev2-profile IKEv2_PROFILE
!
interface Loopback0
 description NTP
 ip address 10.1.1.1 255.255.255.255
 ntp broadcast
!
interface Loopback1
 ip address 10.100.100.1 255.255.255.255
!
interface GigabitEthernet0/0/0
 description WAN0
 ip ddns update hostname xxx.com
 ip ddns update dynu
 ip address dhcp
 ip nat outside
 ip access-group VPN in
 negotiation auto
 ip virtual-reassembly
 ip virtual-reassembly-out
!
interface GigabitEthernet0/0/0.123
 encapsulation dot1Q 123
 ip address 172.16.123.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0/1
 description WAN1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 7
 switchport mode access
!
interface GigabitEthernet0/1/1
 description Trunk
 switchport trunk allowed vlan 99
 switchport mode trunk
 switchport port-security maximum 100
 switchport port-security violation restrict
!
interface GigabitEthernet0/1/2
 switchport access vlan 7
 switchport mode access
 switchport port-security maximum 25
 switchport port-security violation restrict
!
interface GigabitEthernet0/1/3
 switchport access vlan 7
 switchport trunk native vlan 7
 switchport trunk allowed vlan 7,123
 switchport mode trunk
!
interface Cellular0/2/0
 description LTE 
 ip ddns update hostname xxx.buzz
 ip ddns update buzz
 ip address negotiated
 ip nat outside
 ip access-group VPN in
 load-interval 30
 history BPS all
 dialer in-band
 dialer watch-group 1
 pulse-time 1
 ip virtual-reassembly
 ip virtual-reassembly-out
!
interface Cellular0/2/1
 description LTE 2
 no ip address
!
interface Virtual-Template1 type tunnel
 description Cisco AnyConnect IKEv2
 ip unnumbered Loopback1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
 no ip address
 ip nat inside
!
interface Vlan7
 description Vlan7
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
!
interface Vlan88
 ip address 192.168.88.100 255.255.255.0
!
interface Vlan99
 ip address 10.99.99.1 255.255.255.0
!
!
router eigrp 10
 network 10.99.99.0 0.0.0.255
!
ip local pool VPNPOOL 10.0.100.1 10.0.100.5
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat translation timeout 300
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 300
ip nat translation finrst-timeout 60
ip nat translation syn-timeout 60
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 60
ip nat inside source static tcp 10.0.0.222 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 10.0.20.10 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 10.0.0.124 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 172.16.1.10 xxx interface Cellular0/2/0 xxx
ip nat inside source static tcp 10.0.0.124 xxx interface Cellular0/2/0 xxx
ip nat inside source static tcp 10.0.0.123 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 10.0.0.123 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 172.16.200.200 xxx interface Cellular0/2/0 22
ip nat inside source static udp 10.0.0.10 xxx interface Cellular0/2/0 xxx
ip nat inside source static udp 10.0.0.10 xxx interface Cellular0/2/0 xxx
ip nat inside source static udp 10.0.0.10 xxx interface Cellular0/2/0 xxx
ip nat inside source static udp 10.0.0.11 xxx interface Cellular0/2/0 xxx
ip nat inside source static udp 10.0.0.11 xxx interface Cellular0/2/0 xxx
ip nat inside source static udp 10.0.0.11 xxx interface Cellular0/2/0 xxx
ip nat inside source static tcp 10.0.0.12 xxx interface Cellular0/2/0 xxx
ip nat inside source static tcp 10.0.0.23 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static tcp 10.0.0.23 xxx interface GigabitEthernet0/0/0 xxx
ip nat inside source static udp 10.0.0.11 xxx interface Cellular0/2/0 xxx
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 192.168.88.200 255.255.255.255 Vlan99
ip ssh version 2
ip ssh client algorithm encryption aes192-cbc
!
ip access-list standard split_tunel
 permit 10.0.0.0 0.255.255.255
 permit 172.16.0.0 0.0.255.255
 permit 192.168.0.0 0.0.255.255
!
ip access-list extended NAT
 permit ip host 10.0.10.111 any
 permit object-group PORT_DNS object-group WWW_DNS_CLIENTS object-group EXTERNAL_DNS
 permit object-group PORT_WWW object-group WWW_CLIENTS any
 permit ip object-group COMP_APIS any
 permit object-group PORT_SMTP object-group WWW_SMTP_CLIENTS any
 permit object-group PORT_SPEEDTEST object-group VM_INFLUX any
 permit ip host 10.0.0.12 any
 permit ip host 192.168.10.3 any
 permit ip host 192.168.10.2 any
 permit object-group PORT_TORRENT object-group WWW_TORRENT_CLIENTS any
 permit ip object-group PHON_S7 any
ip access-list extended VPN
 permit object-group PORT_VPN any any log-input
 permit ip any any
!
dialer watch-list 1 ip 8.8.8.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
control-plane
!
ntp master
ntp server 0.europe.pool.ntp.org
!

c1111#sh ip int g 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  Internet address is x.x.34.224/26
  Broadcast address is 255.255.255.255
  Address determined by DHCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is VPN
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Virtual Fragment Reassembly, Access List, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

sh ip int Virtual-Access1
Virtual-Access1 is up, line protocol is up
  Interface is unnumbered. Using address of Loopback1 (10.100.100.1)
  Broadcast address is 255.255.255.255
  MTU is 1400 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: MCI Check, TCP Adjust MSS
  Output features: TCP Adjust MSS
  Post encapsulation features: IPSEC Post-encap output classification
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

sh ip int lo1
Loopback1 is up, line protocol is up
  Internet address is 10.100.100.1/32
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1514 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: MCI Check
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

Richard Burts · ‎09-16-2022

Thanks for the additional information. With AnyConnect connected and running would you post the output of traceroute from your computer to the server where you are streaming?

HTH

Rick

ino · ‎09-16-2022

thats from a windows client

Tracing route to jelly.xxx.com [10.0.20.10]
over a maximum of 30 hops:

  1    99 ms   189 ms    75 ms  10.100.100.1
  2   120 ms    76 ms   187 ms  c2961-connector.xxx.com [10.99.99.2]
  3   150 ms    72 ms    78 ms  jelly.xxx.com [10.0.20.10]

Trace complete.

i also tried a trace from the c1111 and c2960(where jelly is plugged in to) confusingly i have no route from them to it

not even from the c2960 where it is plugged in

but i can ping it from both c1111 as well as c2960

thats the routing table on the c2960

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.0.1
      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Vlan7
S        10.0.0.1/32 is directly connected, Vlan7
L        10.0.0.2/32 is directly connected, Vlan7
C        10.0.10.0/24 is directly connected, Vlan101
L        10.0.10.1/32 is directly connected, Vlan101
C        10.0.20.0/24 is directly connected, Vlan102
L        10.0.20.1/32 is directly connected, Vlan102
C        10.0.30.0/24 is directly connected, Vlan103
L        10.0.30.1/32 is directly connected, Vlan103
C        10.99.99.0/24 is directly connected, Vlan99
L        10.99.99.2/32 is directly connected, Vlan99
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1920
L        192.168.0.1/32 is directly connected, Vlan1920
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1921
L        192.168.1.1/32 is directly connected, Vlan1921
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Vlan1930
L        192.168.10.1/32 is directly connected, Vlan1930

and this on the c1111 internet is on g0/0/0 from the mikrotik the cellular connection has currently no ip reachable from the outside and its just in to receive sms commands

Gateway of last resort is x.x.34.225 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via x.x.34.225
      10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C        10.0.0.0/24 is directly connected, Vlan7
L        10.0.0.1/32 is directly connected, Vlan7
D        10.0.10.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
D        10.0.20.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
D        10.0.30.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
S        10.0.100.1/32 is directly connected, Virtual-Access1
S        10.0.100.4/32 is directly connected, Virtual-Access3
C        10.1.1.1/32 is directly connected, Loopback0
C        10.99.99.0/24 is directly connected, Vlan99
L        10.99.99.1/32 is directly connected, Vlan99
C        10.100.100.1/32 is directly connected, Loopback1
C        x.x.179.104/32 is directly connected, Cellular0/2/0
      x.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        x.x.34.192/26 is directly connected, GigabitEthernet0/0/0
L        x.x.34.224/32 is directly connected, GigabitEthernet0/0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.123.0/24 is directly connected, GigabitEthernet0/0/0.123
L        172.16.123.1/32 is directly connected, GigabitEthernet0/0/0.123
D     192.168.0.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
D     192.168.1.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
D     192.168.10.0/24 [90/3072] via 10.99.99.2, 1d16h, Vlan99
      192.168.88.0/32 is subnetted, 1 subnets
S        192.168.88.200 is directly connected, Vlan99

Richard Burts · ‎09-17-2022

I am confused. In the original post you describe trying to watch a movie stream. I assumed that this would be to some server on the Internet. But your traceroute is to a device inside your network. Is jelly the server with the movie stream?

HTH

Rick

ino · ‎09-18-2022

yes jelly is the server with the movie stream

and its inside of my network the poor vpn speed is there the most recognizable as its a movie stream and 1.5mb is fare to slow to be watchable

but its just an example

i have to all inside device a that slow connection over the vpn tune

if i dont connect through the tunnel but whit port forwarding i get the expected speed 10-20mb

jelly.xxx.com with anyconnect connected

vs.

jelly.xxx.com:5454 whit out vpn (reachable from any where in the world)

(ip nat inside source static tcp 10.0.20.10 80 interface GigabitEthernet0/0/0 5454)