Solved: ASA-5505 / S2S good / RemoteAccess with AnyConnect slow

Christian Vielhauer · ‎09-08-2013

Hi all,

i am using two ASA 5505 at to sites. VPN between both works fine and fast as our ISP allows (~10MBit up/down).

At home i have normal ADSL (~600kbit up / 6MBit down)

Downloading files from home on internal server is fast, but when i connect through AnyConnect it's horrible slow.

Both with the same zipfile on http-server:

Download-Speed with AnyConnect: 90-120KB/s

Download-Speed without AnyConnect: 660KB/s

Downloading the same file on client at the other site of the server of the Site-2-Site VPN works fast with 945KB/s.

I thought it might be an ServicePolicyRule with QoS, but there is only the default Rule, where the QoS tab is not available and only ProtocolInspections are selectable.

ASA 9.1.2

ASDM 7.1.3

AnyConnect Client 3.1.04063

Any idea or suggestions?

Kindly regards

Chris

npokhriy · ‎09-13-2013

Hi Chris,

Try to lower down the anyconnect mtu value "anyconnect mtu 1300" in group-policy and then test the issue.

You are seeing slowness for internet traffic or for accessinng the servers behind ASA?

Are you using split-tunnel on ASA?

Regards,

Naresh

View solution in original post

paolo bevilacqua · ‎09-09-2013

Wrong forum, post in "Security - VPN". You can move your posting with the Actions panel on the right.

Christian Vielhauer · ‎09-12-2013

Has nobody any idea what i can do or try?

npokhriy · ‎09-12-2013

Hi Christian,

Try to enable DTLS in group-policy and disable compression.

You can do it usiong following commands:-

group-policy test attributes

webvpn

anyconnect ssl dtls enable

anyconnect ssl compression none

anyconnect dtls compression none

Regards,

Naresh

Christian Vielhauer · ‎09-13-2013

Hi Naresh,

thank u for your answer.

I tried it, but unfortunately it doesn't fix my problem.

The configuration seems to be ok, because in the Statistics window of the AnyConnect Client is now DTLS the used Transport Protocoll with None compression.

Any other things i can try ?

Too many Users are not connected - I am the only one who actually connects through anyconnect.

Regards,

Chris

npokhriy · ‎09-13-2013

Hi Chris,

Try to lower down the anyconnect mtu value "anyconnect mtu 1300" in group-policy and then test the issue.

You are seeing slowness for internet traffic or for accessinng the servers behind ASA?

Are you using split-tunnel on ASA?

Regards,

Naresh

npokhriy · ‎09-13-2013

Try this command as well and check the performance "sysopt connection tcpmss 1300".

Christian Vielhauer · ‎09-13-2013

Hi Naresh,

I am waiting for "Please wait while ASDM is retrieving the latest AnyConnect schemas ...."-Dialog ...

It is shown for up to 5 minutes at moment accessing ASDM via AnyConnect 6M AsynchronDSL.

Accessing ASDM from internal is fast that i can't read the whole sentence of the "Please wait ...."-Dialog

Accessing ASDM from other SITE ( via 10M Synchron DSL) is same like internal.

Same while accessing internal Server from external. For example i try downloading a file from server to my client by scp and by http, too.

Forwarding port 22 to the same server and accessing it directly without anyconnect - it's 3times faster with 660kb/s.

And accessing the rdp server, which works for 2 years is actually very slow.

Sooo, now the result of the first:

Try to lower down the anyconnect mtu value "anyconnect mtu 1300" in group-policy and then test the issue.

Instead of 200kb/s i have now 462kb/s - without anyconnect i have still ~660kb/s

And result of the second:

Try this command as well and check the performance "sysopt connection tcpmss 1300".

No change - still ~460kb/s

Big THX for your help :-)

You have some more good ideas to get the last 200kb ?