Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
4
Replies

Anyconnect troughput?

tiwang
Level 3
Level 3

‎01-12-2021 12:43 AM - edited ‎01-12-2021 12:45 AM

Hi out there

I got a question which I cannot find an answer to - it sounds simple - what "troughput" can I expect trough a AnyConnect VPN tunnel?

I digged into it to verify - we are running a Cisco ASA 9.12 on a FPR-2120 chassis. It is uplinked with a dual-link portchannel - 2 x 1G - to a set of nexus 7700 - and we have a 1G internet connection in the company. According the specifications it can deliver 700 mbps on a ipsec tunnel - but nothing really stated for a AnyConnect client setup.

Here in the country is is common with 100mbps fiber links from the ISP which also delivers what is promised - but some users have higher bandwith - up to 1G also - and here comes the challenge - what troughput can be expected for those users? We can with iperf3 verify that we can get up to ~ 160mbits/sec but is this what we can expect or do we have a bottleneck somewhere in our network. I would have expected ~ 3-400mbps here... 

The ASA is not much loaded - the links are running at around:

 

Load-Interval #1: 30 seconds
30 seconds input rate 76149552 bits/sec, 9857 packets/sec
30 seconds output rate 153456560 bits/sec, 17493 packets/sec
input rate 76.15 Mbps, 9.86 Kpps; output rate 153.46 Mbps, 17.49 Kpps

 

what is other seeing on troughput here? 

 

 

What 

Labels:
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎01-12-2021 02:35 AM

Hi,

AnyConnect itself doesn't have a limitation on throughput. The limitation
resides on your Firepower appliance. Since you are using 2120, you need to
check the datasheet which includes the throughput for VPN connections
depending on features enabled (file policy, ssl, etc). Below link says TLS
limitation is 475 Mbps. But go through it

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

For overall throughput, you need to check the slowest link in your network.
It can be the client side, internet, etc.

***** please remember to rate useful posts
0 Helpful

tiwang
Level 3
Level 3
In response to Mohammed al Baqari

‎01-12-2021 02:41 AM

ahh mohammed - these 475mbps is running FTD - but it is loaded with ASA and here you have ~ 700 mbps for "VPN"

our smallest links are dual-channel 1G links here - the uplinks betweeen the ASA and Nexus - and the internet connection which is 1G

Our PC's here are "decent" powerfull Windows 10 PC's with 8 or 16GB of ram - running idle and should not be the bottleneck

The ASA is solely serving as VPN Hub - no inspection or similar of the traffic - simply VPN headend

 

br ti

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to tiwang

‎01-12-2021 03:18 AM

Good. So follow the datasheet to match your deployment and find the speed.
FTD was an example.

***** please remember to rate useful posts
0 Helpful

tiwang
Level 3
Level 3
In response to Mohammed al Baqari

‎01-12-2021 04:59 AM

well - I think you have been just as long in the businiess as I have and know that Cisco specs not always are real world realistic so therefor it is interesting to know what we in fact can pull trough such a VPN hub - do we have some with a comparable setup which can share some numbers here or have you done a real world test on a ASA as VPN hub....

 

br ti

0 Helpful
Customers Also Viewed These Support Documents