Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
5
Replies

Anyconnect poor performance depending on service provider

l.buschi
Level 2
Level 2

‎02-23-2021 03:25 AM

Anyconnect poor performance depending on service provider
Hi all,

I have the following problem with ASA5506 ver asa9-14-2-8-lfbff-k8.

If I connect to a first Internet service provider I have good anyconnect performace for remote user and good Internet access general performance.

If the same firewall is connected to a new service provider only changing public ip address I have unacceptable anyconnet performance for remote user while internet access general performance still good.

this is my webvpn configuration:

webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-win-4.8.03052-webdeploy-k9.pkg 2 regex "Windows CE"
anyconnect image disk0:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 3 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 4 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

 

I tried with different anyconnect version with the same result.

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎02-23-2021 03:45 AM

have this new link tested both download and uploads , is the results as expected , for me look like ISP issue rather config for now.

 

Do some testing without ASA and see you getting expected results.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

l.buschi
Level 2
Level 2
In response to balaji.bandi

‎02-23-2021 03:50 AM

I made many tests. Connection is as exptected with both service provider.

Only anyconnect remote connection by teleworkers doesn't work as expected. Could it be a matter of MTU or TCP-imss?

I also tried to connect directly to the firewall bypassing service provider and all works fine.

On his hand, service provider tested connection using a fortigate firewall and says everithing is ok.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to l.buschi

‎02-23-2021 04:27 AM

If the Links are tested as expected results, next step is tune MTU as you pointed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

l.buschi
Level 2
Level 2
In response to balaji.bandi

‎02-23-2021 04:30 AM

I don't know how to tune it. Do I have to tune MTU only for anyconnect?

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎02-23-2021 04:05 AM

Anyconnect would ideally not behave differently for different ISP connections. Here are some pointers on MTU, crypto engine and tunnel optimization features that may help:

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_376abafc-62cb-4dd4-b11c-7568b8d81f67

 

Configuring these features should help in Anyconnect optimization. For further investigation, you can use iperf application [https://iperf.fr/] to measure performance with VPN and without vpn(bypassing ASA) and if results are significantly different, engage TAC.

 

Thank you,

Dinesh Moudgil

 

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents