11-21-2016 05:10 AM
Hi all,
I have clients connecting using PPTP and we have implement a VPN on the ASA to be used with AnyConnect clients. And seems like PPTP is faster than AnyConnect. I have enable DTLS, but still no improved on it. Is there a way to trouble shooting this and figure out what is going on. Or is there any tips on how to boots up perfromance ?
Also the clients using Windows 7, but we don't have this problem on Windows 10.
And here is some results
drive |
Document type |
Opening time Old vpn (s) |
Opening time Cisco vpn DE (s) |
1 |
Word Document 2,2 MB |
8 |
15 |
2 |
Powerpoint Document 7,6 MB |
37 |
54 |
3 |
Pdf Document 4 MB |
8 |
28 |
4 |
Pdf 14.3 MB |
2 |
5 |
5 |
Pdf 19,3 MB |
5 |
10 |
6 |
Word PI 000 2,2 MB |
10 |
72 |
7 |
Powerpoint Document 7,6 MB |
28 |
112 |
11-24-2016 01:01 PM
Hello,
check if the following bug might apply. The workaround is to use IPSec instead of SSL...
Slow throughput of AnyConnect client w/DTLS compared to IPSec IKEv1
CSCud24785
Description
Symptom:
AnyConnect (AC) for Windows and Mac OS using SSL encryption and 2K certificates.
Throughput for the AC clients is observed to be almost always less and under different scenarios,
when compared to the legacy Cisco IPSec client or the native Mac OS IPSec client when that uses a pre-shared key.
Conditions:
Similar observations have been recorded for Windows AC clients 3.0.03050, 3.1.0495 and 3.1.01065 and Mac AC clients 3.0.08066 and 3.1.01065.
DTLS is ON and Compression is OFF
ASA Version 9.0(1) AND 8.4(3)
What application was used to transfer the files, for example FTP, TFTP or HTTP or something else?
FTP
Was there other Remote Access tunnels running during this test or only one?
We tested against lightly loaded ASAs (as low as one AC connection, several connections, and several hundred connections)
What were the packet sizes sent using IPSec and SSL?
IPSec client MTU was set to 1300.
set MTU of the NIC to default of 1500 and AC negotiate the actual MTU
What was the CPU on the ASA during each of these tests?
Lightly loaded 1%, when hundreds of connections < 10% on 5585
What is the size of the Certificates being used.
Key size is 2048
What are you using to measure the throughput in MBPS?
Time takes to complete FTP vs files - typically computed by FTP.
Workaround:
Use IPsec instead of SSL
11-28-2016 03:21 PM
Thanks for replying gpauwen,
Is there an easy way to just change the protocol or should i made a new one using IPSec?
I'm getting information about the questions you ask. All i get is that the certificates is 2048 and they are using typical filesharing.
Thanks
11-30-2016 01:02 AM
Hello,
in the 'Connections' tab of the AnyConnect app, you can add a new connection and then chose IPSec instead of SSL (which is the default).
I am not sure if you can edit an existing connection and change SSL to IPSec...
12-01-2016 11:39 AM
I don't see any connection tab ....
12-01-2016 11:59 AM
Sorry, I was referring to the Google Chrome version:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Google_Chrome_OS_AnyConnect_User_Guide_4-0-x.html
12-06-2016 06:33 AM
Hi gpauwen,
Sorry for this delay. I have try to make a configuration with the VPN Wizard and i have uncheck the SSL option and continue. So i was able to login to the login page but when i try to make a connection i fails. Something with the certificate that i was using it was. The error was "Login Denied , unauthorized connection mechanism , contact your administrator". So i have delete everything and i put the SSL option in place and now it works. But the problem is that im not seen any IPSec connection.
So im guess im missing something with the certificate or ?
All i get is:
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 1 : 49 : 2 : 0
SSL/TLS/DTLS : 1 : 46 : 2 : 0
IKEv2 IPsec : 0 : 3 : 1 : 0
12-06-2016 12:39 PM
Hello,
is your ASA configured for IPSec VPN client access ? Can you post the config of your ASA ?
12-07-2016 02:31 PM
Hi gpauwen,
What i have done is delete any configuration that previous have. Start the AnyConnect VPN Wizard and unchecked the SSL and do the steps. After that i have to change in the Client profile, instead of IP to put the Domain so that it not showing the read alert of untruest cert.
Once again thank you for the replying.
Now i have other challenge for other Cisco 5506. The licensing part. I have the PAK but can't get the license. I don't know where to start on this. What should i do in order to get the license that i buy it.
12-07-2016 02:53 PM
Hello,
you need to go to the Cisco Registration Portal and use the PAK to generate the license. Check the link below:
https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Home
12-07-2016 02:55 PM
Yeee thanks for this. I'm currently watching the video :D
Thank you once again !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide