cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
325
Views
0
Helpful
8
Replies
Beginner

Slow speed with Anyconnect VPN

Hello all,

I use a Cisco ASA 5505 with Anyconnect installed. I have a 50Mbps Internet Feed, and when i connect to Anyconnect VPN, my speed is limited to around 3Mbps.

I'm pasting here the configuration file of ASA. What are the possible reasons of this behavior?

 

Thanks in advance,

Stef

8 REPLIES 8
omz Enthusiast
Enthusiast

Re: Slow speed with Anyconnect VPN

Hi 

One possible reason can be a valid license. 

 

Beginner

Re: Slow speed with Anyconnect VPN

Hello omz,

these are the specs of my license:

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Re: Slow speed with Anyconnect VPN

Hi,

 

Please answer the below queries:

Internet feed to your Laptop/Home PC(Home Internet) is 50 Mbps, right?
What is the speed/bandwidth of your Office Internet?
How are you testing the speed from your Laptop/Home PC?

If you have lesser speed of Office Internet and testing Internet speed while connected to Any-Connect
you can use split tunneling feature to get the Internet traffic directly out from your Laptop/Home PC.


Split Tunneling makes it so that only VPN traffic that is destined for the company's network goes through the VPN tunnel. All other traffic goes through the user's normal Internet connection. Split tunnel defines traffic to which subnets will be encrypted.


Here is the link explaining how to configure the Split tunnel.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

SD-WAN Specialist
Spooster IT Services
Beginner

Re: Slow speed with Anyconnect VPN

Hello,

To answer to your questions:

Internet feed to your Laptop/Home PC(Home Internet) is 50 Mbps, right?

Right


What is the speed/bandwidth of your Office Internet?

Much more than 50 Mbps


How are you testing the speed from your Laptop/Home PC?

I'm testing via Speedtest, also tested by downloading test files.

 

I do not want to use Split Tunneling, since i want all traffic to pass through tunnel.

Cisco Employee

Re: Slow speed with Anyconnect VPN

Hi Net_Stef,

Let us first look into the outputs and check how the tunnel looks like

Please share the output of, when you connect using anyconnect

sh vpn-sessiondb detail anyconnect

post that apply the captures using the below command

capture asp type asp-drop all

 

perform a small file transfer over the VPN and then share the output of the capture using the command

sh capture asp

 

Thanks

Shakti

Beginner

Re: Slow speed with Anyconnect VPN

Hello Shakti,

 

This is the output you need:

PIGAL# sh vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : stef.xen Index : 9
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 21558143 Bytes Rx : 973890
Pkts Tx : 16648 Pkts Rx : 10339
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_ANYCONNECT Tunnel Group : ANYCONNECT
Login Time : 21:59:11 EEST Tue Jun 18 2019
Duration : 0h:01m:49s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 5.144.192.91
Encryption : none Hashing : none
TCP Src Port : 49852 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 7514 Bytes Rx : 766
Pkts Tx : 5 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Encryption : AES256 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 49855
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 7566 Bytes Rx : 601
Pkts Tx : 6 Pkts Rx : 6
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Encryption : AES256 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 54072
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 22196507 Bytes Rx : 982721
Pkts Tx : 17112 Pkts Rx : 10571
Pkts Tx Drop : 0 Pkts Rx Drop : 0

NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 112 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :

 

PIGAL# sh capture asp

30 packets captured

1: 22:13:13.613447 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
2: 22:13:17.619383 802.1Q vlan#1234 P0 216.146.43.70.80 > 10.10.2.100.33894: R 1595073468:1595073468(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
3: 22:13:21.844743 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134
4: 22:13:28.776922 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
5: 22:13:29.499867 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
6: 22:13:30.262956 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
7: 22:13:31.270478 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
8: 22:13:34.305221 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
9: 22:13:37.268708 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
10: 22:13:37.758505 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
11: 22:13:39.128899 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
12: 22:13:39.211536 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
13: 22:13:40.291763 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137
14: 22:13:43.308440 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
15: 22:13:43.658581 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
16: 22:13:46.318114 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
17: 22:13:51.996713 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134 Drop-reason: (sp-security-failed) Slowpath security checks failed
18: 22:14:02.828509 802.1Q vlan#1234 P0 216.146.43.70.80 > 10.10.2.100.33910: R 161235794:161235794(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
19: 22:14:05.097361 802.1Q vlan#1234 P0 131.186.113.70.80 > 10.10.5.10.50257: R 438254390:438254390(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
20: 22:14:10.868439 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
21: 22:14:11.272660 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
22: 22:14:12.009719 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
23: 22:14:13.606764 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
24: 22:14:13.705209 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
25: 22:14:14.143913 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
26: 22:14:14.890716 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
27: 22:14:20.431694 802.1Q vlan#1234 P0 8.8.4.4.53 > 10.10.2.100.51648: udp 51 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 22:14:22.123955 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134 Drop-reason: (sp-security-failed) Slowpath security checks failed
29: 22:14:32.837526 802.1Q vlan#1234 P0 34.214.124.143.443 > 10.10.2.100.33899: R 2794890956:2794890956(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
30: 22:14:43.779668 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133
30 packets shown

 

Thanks,

Stef

Cisco Employee

Re: Slow speed with Anyconnect VPN

Hi ,

 

 

The output looks good, we are forming DTLS tunnel and then there are no drops on the captures

 

 

Let's do a comparitative analysis of the file downloads

 

since the split-tunnel is tunnel all , internet traffic is going via ASA

 

Lets download a 1 gb file from the below website when not connected to VPN and look at the time it takes for download

 

https://www.thinkbroadband.com/download

 

70 mins @ 2 Mbps
17 mins @ 8 Mbps
5 mins @ 30 Mbps
3 mins @ 60 Mbps
75 secs @ 120 Mbps

 

Similarily lets download the same file when connected via AnyConnect and download the same file

 

Speed with AnyConnect would be 30-40% less because of the additonal encryption/decryption and the  additional path that the packet has to travserse anything beyond that is a concern.

 

Let me know the results

 

Thanks

Shakti

 

Highlighted
Beginner

Re: Slow speed with Anyconnect VPN

Hello Shakti,

The test has already been done, and the results are that the speed is reduced by 90%.

Is this behavior something normal?

Thanks,

Stef