Showing results for 
Search instead for 
Did you mean: 

ASAv on AWS slow internet bandwidth

Hi Folks,


I’m a little frustrated right now and really hope you can help me fixing one major performance issue we have.


Short description: We are running a Cisco ASAv in AWS to connect into our cloud infrastructure over there. All traffic is routed through the SSL VPN connection. That means we use the internet outbreak from AWS while we are connected with AnyConnect.


Unfortunately the bandwidth performance is horrible and I can’t find the issues.

Attached are some screenshots where you can see the differences while I am connected with VPN.


Let me provide as much and detailed information as possible:


Home office details:

Internet line with 250 Mbps in Download and 15 Mbps in Upload


AWS ASAv Instance:

  • c5.large instance with 10Gbps network interfaces
  • 3x network interfaces: Management (, OUTSIDE ( and INSIDE (


AWS Environment

  • 2 public subnets (1 for Management, 1 for OUTSIDE)
  • 1 private subnet (for INSIDE)
  • Elastic IPs attached on Management ENI and OUTSIDE ENI
  • The internet connection for INSIDE ENI is going through a NAT Gateway and Internet Gateway


When I do a speedtest on my servers in my public and private subnets, I got around 500Mbits in up and download.


I have also attached a network plan for you.


Hope you can find the issue.


Here comes my ASAv configuration:


: Saved


: Serial Number: XXXXXXXXXXX

: Hardware:   ASAv, 4096 MB RAM, CPU Xeon 4100/6100/8100 series 3599 MHz, 1 CPU (2 cores)


ASA Version 9.15(1)1


hostname XXXXASA01

domain-name XXX.XXXXXX.XX

enable password ***** pbkdf2

service-module 0 keepalive-timeout 4

service-module 0 keepalive-counter 6


no mac-address auto

ip local pool VPN-Pool mask


interface Management0/0


 nameif management

 security-level 100

 ip address dhcp setroute


interface TenGigabitEthernet0/0

 nameif OUTSIDE

 security-level 0

 ip address


interface TenGigabitEthernet0/1

 nameif INSIDE

 security-level 100

 ip address


ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup management

dns server-group DefaultDNS

 name-server management

 domain-name XXX.XXXXXX.XX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 23

mtu management 1500

mtu OUTSIDE 1500

mtu INSIDE 1500

no failover

no failover wait-disable

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (OUTSIDE,INSIDE) source dynamic any interface

route OUTSIDE 1

route INSIDE tunneled

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

aaa-server LDAP-Servers protocol ldap

aaa-server LDAP-Servers (INSIDE) host

 ldap-base-dn DC=XXX,DC=XXXXXX,DC=XX

 ldap-group-base-dn OU=XXXX - Groups,DC=XXX,DC=XXXXXX,DC=XX

 ldap-scope subtree

 ldap-naming-attribute sAMAccountName

 ldap-login-password *****

 ldap-login-dn CN=Cisco ASAv LDAP Connect,OU=XXXX - Service Accounts,DC=XXX,DC=XXXXXX,DC=XX

 server-type microsoft

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http management


http redirect management 80

http redirect OUTSIDE 80

http redirect INSIDE 80

no snmp-server location

no snmp-server contact

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto ca trustpoint _SmartCallHome_ServerCA

 no validation-usage

 crl configure

crypto ca trustpoint ComodoRSA

 enrollment terminal


 crl configure

crypto ca trustpoint COMODORSA

 enrollment terminal

 crl configure

crypto ca trustpool policy


crypto ca certificate chain _SmartCallHome_ServerCA

 certificate ca 0509



crypto ca certificate chain ComodoRSA

 certificate XXXX



crypto ca certificate chain COMODORSA

 certificate ca XXXX



crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption aes

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable OUTSIDE client-services port 443

crypto ikev2 remote-access trustpoint ComodoRSA

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 30

ssh version 1 2

ssh key-exchange group dh-group14-sha256

ssh management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ComodoRSA management

ssl trust-point ComodoRSA OUTSIDE

ssl trust-point ComodoRSA INSIDE


 enable OUTSIDE




   max-age 31536000


   no preload






 anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1

 anyconnect image disk0:/anyconnect-win-arm64-4.9.06037-webdeploy-k9.pkg 2

 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 3

 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 4

 anyconnect enable

 tunnel-group-list enable



 error-recovery disable

group-policy GroupPolicy_XXXXXX internal

group-policy GroupPolicy_XXXXXX attributes

 wins-server none

 dns-server value

 vpn-tunnel-protocol ssl-client

 default-domain value XXX.XXXXXX.XX

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record VPN-Users-Group

 action terminate

username admin password ***** pbkdf2 privilege 15

username admin attributes

 service-type admin

 ssh authentication publickey XXXX hashed

tunnel-group XXXXXX type remote-access

tunnel-group XXXXXX general-attributes

 address-pool VPN-Pool

 authentication-server-group LDAP-Servers LOCAL

 default-group-policy GroupPolicy_XXXXXX

tunnel-group XXXXXX webvpn-attributes

 group-alias XXXXXX enable


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect ip-options

  inspect netbios

  inspect rtsp

  inspect sunrpc

  inspect tftp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sip 

  inspect skinny 

  inspect snmp

policy-map type inspect dns migrated_dns_map_2


  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect dns migrated_dns_map_1


  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection


service-policy global_policy global

prompt hostname context

call-home reporting anonymous


 profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

 profile License

  destination address http

  destination transport-method http


: end

no asdm history enable
VIP Advocate

could you show the output of show route on your vasa. Also you missing nat rules for anyconnect if you using anyconnect for full tunnel


here and here  is the configuration of the anyconnect will guide you. to setup a best practice configuration.

please do not forget to rate.

Hi there. Many thanks for your reply. There are two routes:


route INSIDE tunneled


And thats the NAT Rule I have:

# sh nat

Manual NAT Policies (Section 1)
1 (outside) to (inside) source dynamic any interface 
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface 
    translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
Peter Koltl
Frequent Contributor

Does it have similar performance when DTLS is disabled?

yes peter noted the same issue with DTLS.

please do not forget to rate.
Content for Community-Ad