AnyConnect 2.5 on Mac OS X

video.wexler · ‎08-16-2010

We are testing Cisco SSL VPN on the brand new 2821 running IOS Advanced IP Services version 15.1(2)T. AnyConnect client is 2.5.0217, and the group policy is configured for Full Tunnel option. Everything seems to be working fine on Windows, however, there is an issue on Mac OS X. After establishing a secure connection, AnyConnect sporadically stops passing any traffic to the remote site. It happens when users try to establish remote desktop connection to internal servers or browse corporate network shares. Next, after waiting for 5 minutes (default value for DPD), the router removes the non-responding peer, AnyConnect automatically re-establishes the connections, and the whole cycle starts again. Strangely enough, AnyConnect stays connected and continues to pass traffic if users don't attempt to connect to any remote resources (we tested by pinging corporate servers).

Debugging for webvpn “tunnel events” and “tunnel errors” is on, but there is no difference in messages that we receive from Windows or Mac clients.

Are there any known issues with the latest version of AnyConnect for Mac OS X that would cause instability like described above?

Any input would be much appreciated.

Robert Salazar · ‎08-17-2010

I've seen similar behavior when the internet connection is unstable.

Is the mac connected to the internet via wireless or wired connection?

video.wexler · ‎08-18-2010

Every remote user is affected. We discovered that Windows clients are unstable as well. Two days ago I was able to connect and work remotely through SSL VPN for several hours, but most of the time it stops passing traffic and freezes local applications connected to remote resources within first 5 minutes. We use IPSec VPN on the same router as a backup, and clients have no problem maintaing remote connections for hours. I don't think that the issue is related to WAN connection, otherwise IPSec VPN would not work as well.

steve.falkner · ‎07-23-2011

Hi. Were you able to find a solution for this problem? I am running into the exact issue. I have a TAC case open but have not heard back yet.

video.wexler · ‎07-25-2011

I had TAC case open for over 5 months and 4 technicians working on it to no avail. During my own troubleshooting and testing, I discovored that ISR routers have real performance issues with SSL VPN. In my lab I had two servers connected directly to the router (eth0 and eth1) and transferring 900 MB file through FTP. Below are my results (please note that the speed is in Megabytes per second, exactly as it is displayed in the FileZilla window):

Copying directly with no VPN – 21.1 MBps

IPSec VPN with AIM0 enabled – 11.5 MBps

IPSec VPN with AIM0 disabled, but onboard enabled – 4.5 MBps

IPSec VPN with software only encryption – 1.8 MBps

SSL VPN with AIM0 enabled – 1.7 MBps

SSL VPN with onboard acceleration – 1.0 MBps

SSL VPN with software only encryption – 1.0 MBps

Cisco couldn't provide any solution, so I we upgraded our existing SonicWall firewall.

steve.falkner · ‎07-26-2011

Wells thats discouraging. My issue is connection reliability. If I saturate the ssl vpn pipe it literally just stops trasfering data. Never disconnects but just hangs. Also, when i do manage to pass a steady stream of data I experience high latency. Even when connected directly to the outside inferface. Maybe I should have went with an ASA. Btw, which sonicwall are you running?

video.wexler · ‎07-26-2011

There are other known issues using AnyConnect with ISR routers. I think you can make the tunnel stable by enabling QoS and limiting its bandwith to 8-10 Mbps. However, in our case we have DS3 with on option to upgrade to 100Mbps in the near future, so limiting the bandwith doesn't make sense. Cisco ISRs are designed for very small deployments, in all other cases you should go with ASA. I've learned it hard way. Our SonicWall is NSA 3500.

Regards,

a