Hi Rob,

Thanks for the information. I did already read all of this before my original post, and it’s still not clear, SSL traffic is the limitation or VPN throughput? What is the bottleneck on the ASA when buying for remote workers? 

These are the questions that the technical documentation do not answer. I’ve also read the VPN chapter of the CCIE book, again nothing mentioned.

Thanks

Luke

Hi Luke,

I would predict that the typical remote user's first bottleneck will be their local ISP connection, and that the overhead of decryption/encryption on both their client and the ASA are not factors.  I would predict that the next most common performance degrader would be frame loss -- not a problem in plenty of neighborhood networks, but a factor in some.

Would be interesting to compare throughput across a fat connection, e.g. a remote user located at one site with a 1Gb or better Internet pipe, running over VPN to another site with a 1Gb or better Internet pipe -- then, we could gather data on how the encryption/decryption work at Client + ASA impact throughput.  But I haven't found the opportunity to try this

Here are data points which I gathered recently.

I copied a 10MB file ten times from a home machine to a Windows file server at the office, over several different VPN services.  Median results presented here.

CenturyLink Gig Home Service

- AWS OpenVPN service:   .66MB/s

- Cisco AnyConnect service:  .68MB/s

- Fortigate TLS service:  .68MB/s

Comcast Gig Home Service

- Cisco AnyConnect service:  2.75MB/s

Definitions

- Our outfit is experimenting with Remote Access VPN services, so we have several running in parallel

(1) Cloud-hosted service (AWS), which uses the OpenVPN client to connect to an AWS-hosted TLS VPN service ... and which then traverses an IPSec tunnel from the AWS Cloud back to on-prem Firewalls

(2) Fortigate's TLS client (i.e. their competitor to AnyConnect), also terminates on those Firewalls

(3) Cisco AnyConnect service, terminated on on-prem FirePower 1010 boxes ...

And then I replaced the CenturyLink Internet service with a Comcast one *with a fatter pipe* (their 'gig service'), which delivers ~4x better throughput.

Errata

- I used the Myth-Busting Toolkit to automate the file copies, gathering the timing, and performing the arithmetic to produce Mean values

- For comparison, when I perform this measurement on-prem, from my desktop workstation to the same file server, I get two orders of magnitude greater throughput

- I note that throughput gets a lot worse when copying lots of little files ... SMB (and NFS, for that matter) file semantics are 'chatty', so you see a lot lower throughput over all, as the file access protocol ping/pongs "file open" and "file close" and so forth commands.  But this is universal -- nothing unique about putting a VPN pipe in the middle of such an experience

hth,

--sk

Hi SK,

Thanks for all this information.

Did you have 1Gbps VPN throughput on the ASA when you have seen only .68MB/s, was this bottleneck your ISP? Currently using open VPN transferring via SMBv2 (loads of little files) I see far better throughput than this (it’s around 9.5MB/s).

Additionally, in my case the ISP circuits are all good working 1Gbps, this is both client-side and server-side, also the LANs are good 1Gbps. Where is the limiting factor here on the ASA that allows theoretical 1Gbps AnyConnect speed? What should we look for in the datasheets, it seems key information is missing from all the Cisco documentation.

Thanks

Luke

Hi Luke,

The FirePower 1010 appliance terminating the AnyConnect session is 1Gb attached, on-prem.  The company has a 1Gb Internet connection (CenturyLink Internet IQ service)

The home connection is serviced by a CenturyLink residential service.  I just cut over to a fancier Comcast residential service (and have both running in parallel for a few days ... )

SpeedTest.net

CenturyLink:  400Mb/s down, 5.8Mb/s up

Comcast:  335Mb/s down, 42Mb/s up

BTW:  Note that I am reporting the SMB file copy performance in MB/s, not the more traditional Mb/s.  So ... multiply by 8 if you want the Mb/s figure (e.g. .68 * 8 = ~5.44Mb/s).  And I am copying 'up', i.e. from the Home to the Office

Anyway, I am claiming that (a) the home performance bottleneck is generally the home ISP, not the ASA head-end, at least in this kind of simple test scenario, (b) I agree that it would be interesting to figure out what the maximum throughput that the ASA can deliver to a single connection.

--sk

Hi SK, 

Ok, thanks, so you were hitting the limit of your upload speed, and yeah, of course, I’m aware you were using MB/s, most file transfers are measured in MB, not Mb these days.

The circuits I’m working with are all 1Gbps up and Down as I mentioned previously. Still need to find out what the limiting factor would be if any?

Thanks

Luke

Hi Luke,

Perhaps the following is useful:

Copy 10MB file from Office to Home ten times

CenturyLink (speedtest.net currently reports 90Mb/s Down and 6Mb/s Up):  8.25MB/s

Comcast (speedtest.net currently reports 417Mb/s Down and 42Mb/s Up):  8.80MB/s

These results suggest that the Firepower 1010 maxes out at ~8MB/s (or ~64Mb/s) for a single AnyConnect client.  Or, at least, that this particular Firepower maxes out at ~8MB/s at this particular moment in time (I note that this box is lightly loaded:  it does nothing but service AnyConnect clients, and I am its sole connected user at the moment)

BTW:  the SMB file copy throughput is bi-modal ... I have seen this repeatedly, when measuring throughput to SMB servers, i.e. this is not unique to copying files across a VPN tunnel

--sk