cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1559
Views
0
Helpful
6
Replies
Highlighted

ISA550 - Any connect LAN traffic slow

We have an ISA 550 (firmware 1.2.15) running SSL VPN connected to AnyConnect 3.0.2052. A number of users have reported that print and other LAN services become much slower when the VPN is connected. Everything returns to full speed when disconnected. I have tried the enabled Local LAN access (both on and off) in side the Any connect. On the ISA In the SSL VPN Group Policy Split tunneling is enabled & I have set it to include only the addresses I want to route down the tunnel. On an XP machine Route print confirms the default gateways for all the traffic is correct.

6 REPLIES 6
Highlighted
Contributor

Have you tried updating to the latest AnyConnect client?

http://software.cisco.com/download/release.html?mdfid=281940730&flowid=4466&softwareid=282364316&os=Windows&release=5.0.07.0440&relind=AVAILABLE&rellifecycle=&reltype=latest


Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

The latest any connect is not supported. There are compatabilty issues with the ISA using self generated certificates where the VPN will not connect as it thinks it has a captive portal and requires authentication. I had a long standing TAC case which ended with them advising only use verison 3.0.2052 (that comes on the CD with the device). I tried many intermediate versions and the captive portal problem still arose. 

It is AnyConnect Secure Mobilty Client we are using.

Highlighted

I'm assuming the IP subnet being assigned to VPN users is different from your LAN subnet, correct? There is no overlap?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Hi Kenneth,

In addition to Shawn's questions, I have a few more:

1.  Is only local LAN traffic affected or is traffic over the tunnel slow, too?

2.  What are you trying to do on the local LAN?  I see printing, but would like to see what other activities are affected.

3.  How are you accessing devices on the local LAN (ip address or hostname)?  If you try both, does it make a difference?

4.  How does ping times to local devices compare when connected vs disconnected from AnyConnect?

Thanks,

Brandon

Highlighted

Dear Brandon,

are you from Dev Team?

I using AnyConnect with large installations at ASA level and experiance performance troubles with certain kind of clients when DTLS and compression is enabled. With ASA you can disable this per group, but I believe with the ISA this is not possible. Is DTLS enabled by default? Perhaps this is the problem.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
Highlighted

Hi Michael,

The ISA doesn't support DTLS yet, but it is on the roadmap. 

With the ASA, you normally get better performance with DTLS since it uses UDP instead of TCP, but you shouldn't need compression.  Compression is more for slow bandwidth links and impacts the cpu more.  I wonder if you would see better performance by using DTLS without compression.

Thanks,

Brandon