Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8441
Views
0
Helpful
2
Replies

ASA VPN Throughput and VPN performance

Michael Bartholomæussen
Level 1
Level 1

‎07-04-2018 01:42 AM - edited ‎03-12-2019 05:26 AM

Hi

 

I have a case were a user has reported poor performance over remote access VPN, using AnyConnect. The users has a 300/300 fiber provide at home, plenty of bandwidth and low latency. During file transfers over VPN the performance have degraded 2/3, to around ~90 mbps, which the users thinks is fairly unreasonable!

 

Things that I have considered:

 

1) Fragmentation - tunnel MTU is 1406, ping test maxes-out at 1379, leaving 1378 the optimal value. Validated with wireshark, using ip.flag.mf == 1, came out empty

 

2) Latency - about 10 - 15ms, so ruling out bandwidth delay product

 

3) Look at firewall specs - ASA 5525X has 300 mbps 3DES/AES throughput. how should this number be interpreted???

 

4) Firepower - how much performance is lost due to firepower operations?

 

5) Users - Current connected users is 43, most seen 82. How is resources allocated between them, thinking that this must affected crypto performance? 

 

Br,

Michael

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-04-2018 05:41 AM

I definitely would not call it unreasonable off the bat. There are a few things I would consider to see what could be causing a slowdown and what can be done to improve:

 

1) Firepower definitely does cause a slowdown, especially for large flows like a file transfer. This is documented in the Cisco article below:

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

 

The performance degradation is also relative to the features turned on in the Firepower. For example, the ASA overall throughput goes down from 1Gbps to 650 Mbps with IPS and AVC turned on. With AMP and URL, this would be go down even further. I would recommend bypassing the VPN users from the Firepower as a test to see what throughput they get without Firepower.

 

2) TLS vs DTLS: The ASA tries to do DTLS whenever possible. This uses UDP 443 and improves performance for VPN traffic. Now a lot of ISP's do not allow DTLS through their network, so that could be causing the users to fall back to TLS tunnel for Data. To verify, do a "show vpn-sessiondb detail anyconnect" and look for the session with the username. You should see AnyConnect-TLS or DTLS, sometimes even both. DTLS is what you want them to be on. 

0 Helpful

asaa
Level 1
Level 1
In response to Rahul Govindan

‎07-04-2018 07:06 AM

I would also try checking the cores on the client device as the crypto operation may be limited to a single core and limiting throughput. 90Mbit is pretty good.

0 Helpful
Customers Also Viewed These Support Documents