Solved: Re: Anyconnect conection - BW and throughput issues

drivera_ · ‎04-06-2020

Hello guys,

I came here for you guys to give a hand. Righn now a customer is having throughput issues with anyconnect clients, experimenting very low througput when transfering files. I know, you guys are going to think about the situation (COVID-19) and many people trying to connect to their company resources though VPN links, but our customer is telling me that they have been having this issue even before the outbreak, when not many users used Anyconnect VPN. They asked me if there is a way of adjust the BW for Anyconnect VPN clients or if the BW clients are getting is by demand. It would be great if you can help me with this.

By the way, we're using an ASA 5525-X.

Thank you so much in advance.

Sheraz.Salim · ‎04-20-2020

your client having issues when remote anyconnect client connects. the bandwidth is slow. there are many factor which could cause the issue.

1. initial start what is the link on outside interface how much utilization is consumed on outside interface.

2. anyconnect client getting a slow response if all of these end client having issue than could be a problem on ASA interface facing connection.

3. anyconnet clients are using TLS or DTLS.

4. why client are doing a downloading the data? any reason.

please do not forget to rate.

View solution in original post

Marvin Rhoads · ‎04-21-2020

In addition to the good doc that @Sheraz.Salim mentioned, the answer regarding per-client bandwidth is that we cannot set that. A given tunnel-group/connection profile can be QoS policed/limited for all connected clients but otherwise each client will be given best effort for the presented traffic load.

View solution in original post

drivera_ · ‎04-20-2020

Anyone?

Sheraz.Salim · ‎04-20-2020

your client having issues when remote anyconnect client connects. the bandwidth is slow. there are many factor which could cause the issue.

1. initial start what is the link on outside interface how much utilization is consumed on outside interface.

2. anyconnect client getting a slow response if all of these end client having issue than could be a problem on ASA interface facing connection.

3. anyconnet clients are using TLS or DTLS.

4. why client are doing a downloading the data? any reason.

please do not forget to rate.

drivera_ · ‎04-21-2020

1. initial start what is the link on outside interface how much utilization is consumed on outside interface. /ANS: Right now, we're having a lot of traffic in this interface, but this issue was happening even before the Coronavirus outbreak, I meant, since three or four months ago.

2. anyconnect client getting a slow response if all of these end client having issue than could be a problem on ASA interface facing connection. /ANS: we found out that ASA 5525X only supports until 300 Mbps encryption/decryption traffic, and right now, slow issue is mainly happening because of this, but, before of this situation, when not many useres usually were connected through VPN tunnels, connection was really slow too.

3. anyconnet clients are using TLS or DTLS. /ANS: we're having another issue, related with not using DTLS but TLS instead. This issue is about windows remote assitance some internal users (people inside the company) give to people connected trhough Anyconnect VPN. Apparently, we're having slow connections or sometimes the connection failed when people from helpdesk initiates this connection. The reason why we're not using DTLS is because our customer's ASA behind a Citrix load balancer whom is facing internet connection. Output ASA interface has a private IP address and this address is being nated on that Citrix device, so at Citrix device we're configuring a virtual server with HTTPS. A Cisco Engineer TAC told us that we need to use udp 443 port for the DTLS tunnel to be established. I don't know if these slow issues are related with this other issue.

4. why client are doing a downloading the data? any reason./ANS: clients needs to download resources from some servers and tryin to access Internet. We're not using split tunneling because there are several internet browsing policies our customer have configured for only enterprise users and devices can use internet service by using a proxy service.

Finally, I would like to know if it is possible to assign an specific BW for every anyconnect client or if it is not possible and each client take his BW by demand, I meant, every client taking as much traffice it needs.

Thank you so much in advance.

Sheraz.Salim · ‎04-21-2020

@drivera_ thank you for the detail answers. instead of me answering all the quires you have i found a very good document which will definitely help you to get a way around what you looking answer for. here is the link. I hope you will find it very informative.

please do not forget to rate.

drivera_ · ‎04-22-2020

Hello, @Sheraz.Salim

Thank you so much for your answer and for that great document you shared. I think it is very explicit and really usefull.

Marvin Rhoads · ‎04-21-2020

In addition to the good doc that @Sheraz.Salim mentioned, the answer regarding per-client bandwidth is that we cannot set that. A given tunnel-group/connection profile can be QoS policed/limited for all connected clients but otherwise each client will be given best effort for the presented traffic load.

drivera_ · ‎04-22-2020

Hello, Marvin

Thank you so much. That was a great answer too.