cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6918
Views
0
Helpful
7
Replies

Anyconnect Throughput

Luke Thomas
Level 1
Level 1

Hi All,

 

I'm looking for some information on the limitations of anyconnect throughput.

 

The compatibility matrix shows "IPSec VPN Throughput (1024B TCP w/Fastpath)"  and "TLS". Granted the throughput would be divided by two shared up and down, additionally known good ISPs internal LAN connections. From looking around I see that SSL and IPSEC options are available, SSL would be the preferred method in this case.

 

What are the limiting factors here relating to anyconnect throughput on a per client bases? If there was a single user that needed to download a file using SMB(v2) over the anyconnect connection how would one estimate the expected throughput? (assuming Anyconnect, ISP and LAN are not utilised)

 

what should I be looking for in the compatibility matrixes/datasheets? 

 

Any advice much appreciated. 

 

Thanks

Luke

7 Replies 7

Hi @Luke Thomas 

To get the best performance you should ensure you use DTLS rather than TLS. DTLS 1.2 is available on ASA from version 9.10+ and AnyConnect from version 4.7+, you should run the latest recommended version of each.

 

Refer to this best practice guide to optimise RAVPN configuration, this also has a section on some tests performed that may help you. Other than this document I've not seen any public documents running performance tests.

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579#toc-hId-324607735

Hi Rob,

 

Thanks for the information. I did already read all of this before my original post, and it’s still not clear, SSL traffic is the limitation or VPN throughput? What is the bottleneck on the ASA when buying for remote workers? 

These are the questions that the technical documentation do not answer. I’ve also read the VPN chapter of the CCIE book, again nothing mentioned.

 

Thanks

Luke

Hi Luke,

 

I would predict that the typical remote user's first bottleneck will be their local ISP connection, and that the overhead of decryption/encryption on both their client and the ASA are not factors.  I would predict that the next most common performance degrader would be frame loss -- not a problem in plenty of neighborhood networks, but a factor in some.

 

Would be interesting to compare throughput across a fat connection, e.g. a remote user located at one site with a 1Gb or better Internet pipe, running over VPN to another site with a 1Gb or better Internet pipe -- then, we could gather data on how the encryption/decryption work at Client + ASA impact throughput.  But I haven't found the opportunity to try this

 

Here are data points which I gathered recently.

 

I copied a 10MB file ten times from a home machine to a Windows file server at the office, over several different VPN services.  Median results presented here.

 

CenturyLink Gig Home Service

- AWS OpenVPN service:   .66MB/s

- Cisco AnyConnect service:  .68MB/s

- Fortigate TLS service:  .68MB/s

 

Comcast Gig Home Service

- Cisco AnyConnect service:  2.75MB/s

 

Definitions

- Our outfit is experimenting with Remote Access VPN services, so we have several running in parallel

(1) Cloud-hosted service (AWS), which uses the OpenVPN client to connect to an AWS-hosted TLS VPN service ... and which then traverses an IPSec tunnel from the AWS Cloud back to on-prem Firewalls

(2) Fortigate's TLS client (i.e. their competitor to AnyConnect), also terminates on those Firewalls

(3) Cisco AnyConnect service, terminated on on-prem FirePower 1010 boxes ...

 

And then I replaced the CenturyLink Internet service with a Comcast one *with a fatter pipe* (their 'gig service'), which delivers ~4x better throughput.

 

Errata

- I used the Myth-Busting Toolkit to automate the file copies, gathering the timing, and performing the arithmetic to produce Mean values

- For comparison, when I perform this measurement on-prem, from my desktop workstation to the same file server, I get two orders of magnitude greater throughput

- I note that throughput gets a lot worse when copying lots of little files ... SMB (and NFS, for that matter) file semantics are 'chatty', so you see a lot lower throughput over all, as the file access protocol ping/pongs "file open" and "file close" and so forth commands.  But this is universal -- nothing unique about putting a VPN pipe in the middle of such an experience

 

hth,

 

--sk

Hi SK,

 

Thanks for all this information.

 

Did you have 1Gbps VPN throughput on the ASA when you have seen only .68MB/s, was this bottleneck your ISP? Currently using open VPN transferring via SMBv2 (loads of little files) I see far better throughput than this (it’s around 9.5MB/s).

 

Additionally, in my case the ISP circuits are all good working 1Gbps, this is both client-side and server-side, also the LANs are good 1Gbps. Where is the limiting factor here on the ASA that allows theoretical 1Gbps AnyConnect speed? What should we look for in the datasheets, it seems key information is missing from all the Cisco documentation.

 

Thanks

Luke

 

 

Hi Luke,

 

The FirePower 1010 appliance terminating the AnyConnect session is 1Gb attached, on-prem.  The company has a 1Gb Internet connection (CenturyLink Internet IQ service)

 

The home connection is serviced by a CenturyLink residential service.  I just cut over to a fancier Comcast residential service (and have both running in parallel for a few days ... )

 

SpeedTest.net

CenturyLink:  400Mb/s down, 5.8Mb/s up

Comcast:  335Mb/s down, 42Mb/s up

 

BTW:  Note that I am reporting the SMB file copy performance in MB/s, not the more traditional Mb/s.  So ... multiply by 8 if you want the Mb/s figure (e.g. .68 * 8 = ~5.44Mb/s).  And I am copying 'up', i.e. from the Home to the Office

 

Anyway, I am claiming that (a) the home performance bottleneck is generally the home ISP, not the ASA head-end, at least in this kind of simple test scenario, (b) I agree that it would be interesting to figure out what the maximum throughput that the ASA can deliver to a single connection.

 

--sk

 

Hi SK, 

 

Ok, thanks, so you were hitting the limit of your upload speed, and yeah, of course, I’m aware you were using MB/s, most file transfers are measured in MB, not Mb these days.

 

The circuits I’m working with are all 1Gbps up and Down as I mentioned previously. Still need to find out what the limiting factor would be if any?

 

Thanks

Luke

Hi Luke,

 

Perhaps the following is useful:

Copy 10MB file from Office to Home ten times

CenturyLink (speedtest.net currently reports 90Mb/s Down and 6Mb/s Up):  8.25MB/s

Comcast (speedtest.net currently reports 417Mb/s Down and 42Mb/s Up):  8.80MB/s

 

These results suggest that the Firepower 1010 maxes out at ~8MB/s (or ~64Mb/s) for a single AnyConnect client.  Or, at least, that this particular Firepower maxes out at ~8MB/s at this particular moment in time (I note that this box is lightly loaded:  it does nothing but service AnyConnect clients, and I am its sole connected user at the moment)

 

BTW:  the SMB file copy throughput is bi-modal ... I have seen this repeatedly, when measuring throughput to SMB servers, i.e. this is not unique to copying files across a VPN tunnel

cycle-file-copy-output-over-Comcast.png

 

--sk