AnyConnect slower than PPTP

Ivan Adji - Krstev · ‎11-21-2016

Hi all,

I have clients connecting using PPTP and we have implement a VPN on the ASA to be used with AnyConnect clients. And seems like PPTP is faster than AnyConnect. I have enable DTLS, but still no improved on it. Is there a way to trouble shooting this and figure out what is going on. Or is there any tips on how to boots up perfromance ?

Also the clients using Windows 7, but we don't have this problem on Windows 10.

And here is some results

drive	Document type	Opening time Old vpn (s)	Opening time Cisco vpn DE (s)
1	Word Document 2,2 MB	8	15
2	Powerpoint Document 7,6 MB	37	54
3	Pdf Document 4 MB	8	28
4	Pdf 14.3 MB	2	5
5	Pdf 19,3 MB	5	10
6	Word PI 000 2,2 MB	10	72
7	Powerpoint Document 7,6 MB	28	112

Georg Pauwen · ‎11-24-2016

Hello,

check if the following bug might apply. The workaround is to use IPSec instead of SSL...

Slow throughput of AnyConnect client w/DTLS compared to IPSec IKEv1
CSCud24785
Description
Symptom:
AnyConnect (AC) for Windows and Mac OS using SSL encryption and 2K certificates.
Throughput for the AC clients is observed to be almost always less and under different scenarios,
when compared to the legacy Cisco IPSec client or the native Mac OS IPSec client when that uses a pre-shared key.

Conditions:
Similar observations have been recorded for Windows AC clients 3.0.03050, 3.1.0495 and 3.1.01065 and Mac AC clients 3.0.08066 and 3.1.01065.
DTLS is ON and Compression is OFF

ASA Version 9.0(1) AND 8.4(3)

What application was used to transfer the files, for example FTP, TFTP or HTTP or something else?
FTP

Was there other Remote Access tunnels running during this test or only one?
We tested against lightly loaded ASAs (as low as one AC connection, several connections, and several hundred connections)

What were the packet sizes sent using IPSec and SSL?
IPSec client MTU was set to 1300.
set MTU of the NIC to default of 1500 and AC negotiate the actual MTU

What was the CPU on the ASA during each of these tests?
Lightly loaded 1%, when hundreds of connections < 10% on 5585

What is the size of the Certificates being used.
Key size is 2048

What are you using to measure the throughput in MBPS?
Time takes to complete FTP vs files - typically computed by FTP.

Workaround:
Use IPsec instead of SSL

Ivan Adji - Krstev · ‎11-28-2016

Thanks for replying gpauwen,

Is there an easy way to just change the protocol or should i made a new one using IPSec?

I'm getting information about the questions you ask. All i get is that the certificates is 2048 and they are using typical filesharing.

Thanks

Georg Pauwen · ‎11-30-2016

Hello,

in the 'Connections' tab of the AnyConnect app, you can add a new connection and then chose IPSec instead of SSL (which is the default).

I am not sure if you can edit an existing connection and change SSL to IPSec...

Ivan Adji - Krstev · ‎12-01-2016

I don't see any connection tab ....

Georg Pauwen · ‎12-01-2016

Sorry, I was referring to the Google Chrome version:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Google_Chrome_OS_AnyConnect_User_Guide_4-0-x.html

Ivan Adji - Krstev · ‎12-06-2016

Hi gpauwen,

Sorry for this delay. I have try to make a configuration with the VPN Wizard and i have uncheck the SSL option and continue. So i was able to login to the login page but when i try to make a connection i fails. Something with the certificate that i was using it was. The error was "Login Denied , unauthorized connection mechanism , contact your administrator". So i have delete everything and i put the SSL option in place and now it works. But the problem is that im not seen any IPSec connection.

So im guess im missing something with the certificate or ?

All i get is:

---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
 Active : Cumulative : Peak Concur : Inactive
 ----------------------------------------------
AnyConnect Client : 1 : 49 : 2 : 0
 SSL/TLS/DTLS : 1 : 46 : 2 : 0
 IKEv2 IPsec : 0 : 3 : 1 : 0

Georg Pauwen · ‎12-06-2016

Hello,

is your ASA configured for IPSec VPN client access ? Can you post the config of your ASA ?

Ivan Adji - Krstev · ‎12-07-2016

Hi gpauwen,

What i have done is delete any configuration that previous have. Start the AnyConnect VPN Wizard and unchecked the SSL and do the steps. After that i have to change in the Client profile, instead of IP to put the Domain so that it not showing the read alert of untruest cert.

Once again thank you for the replying.
Now i have other challenge for other Cisco 5506. The licensing part. I have the PAK but can't get the license. I don't know where to start on this. What should i do in order to get the license that i buy it.

Georg Pauwen · ‎12-07-2016

Hello,

you need to go to the Cisco Registration Portal and use the PAK to generate the license. Check the link below:

https://slexui.cloudapps.cisco.com/SWIFT/LicensingUI/Home

Ivan Adji - Krstev · ‎12-07-2016

Yeee thanks for this. I'm currently watching the video :D

Thank you once again !