I was running 16.10.1b too, and hitting this bug:   CSCvn52259 - CSR1Kv:Throughput/BW level not set correctly when upgrade to 16.10.1 .bin image with AWS/Azure PAYG   Upgrading to 16.10.2 or 16.11 fixed it   I opened a TAC case and they were completely unhelpful.  This is something I had to discover on my own. ... View more

I re-launched the CSR1000v on t2.medium, c4.large and c5.large and configured them to only do routing and NAT with a 100 Mbps throughput license. These were the speed results:   # Test download via CSR1000v on t2.medium ubuntu@ip-10-13-22-161:~$ curl ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/ISO-IMAGES/11.2/FreeBSD-11.2-RELEASE-i386-bootonly.iso > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 261M 100 261M 0 0 30733 0 2:28:55 2:28:55 --:--:-- 92708 # Test download via CSR1000v on c4.largeubuntu@ip-10-13-22-161:~$ curl ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/ISO-IMAGES/11.2/FreeBSD-11.2-RELEASE-i386-bootonly.iso > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 261M 100 261M 0 0 9993k 0 0:00:26 0:00:26 --:--:-- 11.2M # Test download via CSR1000v on c5.large ubuntu@ip-10-13-22-161:~$ curl ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/ISO-IMAGES/11.2/FreeBSD-11.2-RELEASE-i386-bootonly.iso > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 261M 100 261M 0 0 10.4M 0 0:00:25 0:00:25 --:--:-- 11.2M ... View more

I'm seeing this too, and have observed it's specific to Internet access.  If I download a file via Internet using the CSR1000v as default gateway, speeds are horrible (100-200 Kbps at best).  Downloading the same file via IPSec VPN tunnel terminated on the CSR1000v is 100 times faster.  I see this both with the 2.5 Gbps trial license and after purchasing and installing a 100 Mbps permanent one and rebooting.  I doubt it's a problem with AWS because using their NAT gateway, speeds are 50 Mbps.     We deployed the CSR1000v on AWS t2.medium instances and it wasn't until upgrading to 16.10.1b that they were stable.  I don't have a root cause or explanation from Cisco yet as to why this is, but really seems to be an issue with the low CPU credits on the t2.mediums and/or incompatibility related to Hypervisor or vNIC.   I'd be curious if I re-launch on c4.large or c5.large how things go.   ... View more

This is correct. The IPSec profile for a GRE tunnel should be transport mode. For plain IPSec tunnels, the mode should be tunnel.   ... View more

Realize this is an old post, but having the same problem too. The ASA provides a split tunnel route of 10.0.0.0/8 and any specific routes to say 10.69.0.0/16 via a different VPN client disappear from netstat -rn after connecting to AnyConnect.  When disconnecting from AnyConnect, the route returns. ... View more

Just got this message for the first time on a 2921 with ISM-VPN-29 module, which was active.  The tunnels combine for only 50 Mbps throughput but 60k pps which I'm suspecting is the problem. Router#show crypto engine brief         crypto engine name:  Virtual Private Network (VPN) Module         crypto engine type:  hardware                      State:  Disabled                   Location:  onboard 0               Product Name:  Onboard-VPN         crypto engine name:  Virtual Private Network (VPN) Module         crypto engine type:  hardware                      State:  Enabled                   Location:  slot 0           Product Name:  ISM VPN Accelerator         crypto engine name:  Cisco VPN Software Implementation         crypto engine type:  software              serial number:  214CE12A        crypto engine state:  installed      crypto engine in slot:  N/A ... View more

The lacp rate fast command is definitely supported in 15.2(4)E4, however during testing I still see it taking 10-15 seconds for the bundle to form.  This is with a Palo Alto firewall LACP with Palo Alto Firewalls ... View more

FYI "lacp rate fast" is supported on the 15.2(4)E software train: Switch#sh ver Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.2(4)E4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Wed 05-Apr-17 04:22 by prod_rel_team Switch#sh run int Gi1/1/1 interface GigabitEthernet1/1/1  switchport trunk encapsulation dot1q  switchport mode trunk  load-interval 30  mls qos trust dscp  lacp rate fast  channel-group 1 mode active "lacp rate fast" in Catalyst 3750? LACP with Palo Alto Firewalls ... View more

Just a note for anyone Googling, this version is vulnerable to Bug CSCvd78303 and will stop passing traffic after 213 days uptime.  9.4(4)5 is the recommended upgrade path.   Field Notice: FN - 64291 - ASA and FTD Software-Security Appliance Might Fail To Pass Traffic After 213 Days Of Uptime-Reboot and Software Upgrade Required ... View more

I tried installing 5.4 under Hyper-V 6.3.9600 (Windows Server 2012 R2 Standard).  The installer did start, but quit during the hardware check.  Would assume it needs to be on custom Cisco hardware or VMWare. Seeing as ACS goes end of support next year, I doubt Cisco will put any effort in to changing this.  ... View more

Something isn't adding up because the 1921 should be almost 2x faster than the 2821.  If we're just talking regular performance numbers with no services (firewall, QoS, PAT, etc) Max PPS Max Throughput (64-byte packets) 2821 ISR 170,000 87 Mbps 1921 ISR G2 290,000 144 Mbps That being said, services and IPSec especially will be CPU intensive, so I can't dispute the numbers on the data sheet much.  Sounds like you want to at least move to a 2921/2951 or ideally a 3925 to get guaranteed 100 Mbps even with firewalling, PAT, IPSec, and QoS all enabled.  Along those lines I'd point out the 2951 and 3925 have hardware-based encryption for AnyConnect and should outperform the ASA 5505.  It sounds like you don't want to invest the time in learning the ASA, and if you don't need its features, that's totally understandable.  ... View more

ISP supplies 100Mbits down and 50 up.  Even the 2821 hits 100% CPU on large downloads.  I looked at the spec and it doesn't look like the ASA5505 could handle that bandwidth with NAT and firewall enabled.  The 1921 certainly could not. An ASA5505 should be able to do 100 Mbps with both firewall and NAT.  I'd be more concerned about session count in your case.  You'll want to do a "show version" on it to verify the inside host licenses are unlimited. As for the 1921 it can't find the numbers on it but anything that new should be able to do over 100 Mbps.  Perhaps it had firewalling enabled, or had the NAT configuration I'm warning about in the post below.  If you're concerned about security patching for the 2821, used 2921s should be getting very affordable these days.  We currently have several in our data center that are due to be retired next month, and they'll be sold off for around $300 each. If it were me I'd stick to the router for NAT since that's what your comfortable with but put the ASA side by side with it and run AnyConnect.  ... View more

One is a 1921-K9 with security bundle, one is another 2821 with the same OS as above (Adv IP), and a third is an ASA5505. The ASA is really the best choice for AnyConnect VPN.  It will support all features, while the ISR will only have partial support.  Also, the ASA can do hairpinning without any performance loss.If it were me, I'd migrate to the ASA, but consider using the 1921 as well. The 2821 is end of support so it's time to get off it anyway ... View more

Hehehehe ... View more