cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
349
Views
0
Helpful
4
Replies
piwo030
Beginner

ASAv on AWS slow internet bandwidth

Hi Folks,

 

I’m a little frustrated right now and really hope you can help me fixing one major performance issue we have.

 

Short description: We are running a Cisco ASAv in AWS to connect into our cloud infrastructure over there. All traffic is routed through the SSL VPN connection. That means we use the internet outbreak from AWS while we are connected with AnyConnect.

 

Unfortunately the bandwidth performance is horrible and I can’t find the issues.

Attached are some screenshots where you can see the differences while I am connected with VPN.

 

Let me provide as much and detailed information as possible:

 

Home office details:

Internet line with 250 Mbps in Download and 15 Mbps in Upload

 

AWS ASAv Instance:

  • c5.large instance with 10Gbps network interfaces
  • 3x network interfaces: Management (172.20.19.250), OUTSIDE (172.20.10.250) and INSIDE (172.20.1.250)

 

AWS Environment

  • 2 public subnets (1 for Management, 1 for OUTSIDE)
  • 1 private subnet (for INSIDE)
  • Elastic IPs attached on Management ENI and OUTSIDE ENI
  • The internet connection for INSIDE ENI is going through a NAT Gateway and Internet Gateway

 

When I do a speedtest on my servers in my public and private subnets, I got around 500Mbits in up and download.

 

I have also attached a network plan for you.

 

Hope you can find the issue.

 

Here comes my ASAv configuration:

 

: Saved


:

: Serial Number: XXXXXXXXXXX

: Hardware:   ASAv, 4096 MB RAM, CPU Xeon 4100/6100/8100 series 3599 MHz, 1 CPU (2 cores)

:

ASA Version 9.15(1)1

!

hostname XXXXASA01

domain-name XXX.XXXXXX.XX

enable password ***** pbkdf2

service-module 0 keepalive-timeout 4

service-module 0 keepalive-counter 6

names

no mac-address auto

ip local pool VPN-Pool 10.0.250.1-10.0.250.254 mask 255.255.255.0


!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address dhcp setroute

!

interface TenGigabitEthernet0/0

 nameif OUTSIDE

 security-level 0

 ip address 172.20.10.250 255.255.255.0

!

interface TenGigabitEthernet0/1

 nameif INSIDE

 security-level 100

 ip address 172.20.1.250 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup management

dns server-group DefaultDNS

 name-server 172.20.1.10 management

 domain-name XXX.XXXXXX.XX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 23

mtu management 1500

mtu OUTSIDE 1500

mtu INSIDE 1500

no failover

no failover wait-disable

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (OUTSIDE,INSIDE) source dynamic any interface

route OUTSIDE 0.0.0.0 0.0.0.0 172.20.10.1 1

route INSIDE 0.0.0.0 0.0.0.0 172.20.1.1 tunneled

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

aaa-server LDAP-Servers protocol ldap

aaa-server LDAP-Servers (INSIDE) host 172.20.1.10

 ldap-base-dn DC=XXX,DC=XXXXXX,DC=XX

 ldap-group-base-dn OU=XXXX - Groups,DC=XXX,DC=XXXXXX,DC=XX

 ldap-scope subtree

 ldap-naming-attribute sAMAccountName

 ldap-login-password *****

 ldap-login-dn CN=Cisco ASAv LDAP Connect,OU=XXXX - Service Accounts,DC=XXX,DC=XXXXXX,DC=XX

 server-type microsoft

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 0.0.0.0 0.0.0.0 management

http 0.0.0.0 0.0.0.0 OUTSIDE

http redirect management 80

http redirect OUTSIDE 80

http redirect INSIDE 80

no snmp-server location

no snmp-server contact

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption aes

 protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto ca trustpoint _SmartCallHome_ServerCA

 no validation-usage

 crl configure

crypto ca trustpoint ComodoRSA

 enrollment terminal

 subject-name CN=XXXXX.XXXXXX.XX,OU=XX XXXXX,O=XXXX,C=XX,St=XXXXX,EA=XXXXXXXX

 crl configure

crypto ca trustpoint COMODORSA

 enrollment terminal

 crl configure

crypto ca trustpool policy

 auto-import

crypto ca certificate chain _SmartCallHome_ServerCA

 certificate ca 0509

 ...

  quit

crypto ca certificate chain ComodoRSA

 certificate XXXX

 ...

  quit

crypto ca certificate chain COMODORSA

 certificate ca XXXX

 ...

  quit

crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption aes

 integrity sha256

 group 5

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable OUTSIDE client-services port 443

crypto ikev2 remote-access trustpoint ComodoRSA

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 30

ssh version 1 2

ssh key-exchange group dh-group14-sha256

ssh 0.0.0.0 0.0.0.0 management

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ComodoRSA management

ssl trust-point ComodoRSA OUTSIDE

ssl trust-point ComodoRSA INSIDE

webvpn

 enable OUTSIDE

 http-headers

  hsts-server

   enable

   max-age 31536000

   include-sub-domains

   no preload

  hsts-client

   enable

  x-content-type-options

  x-xss-protection

  content-security-policy

 anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1

 anyconnect image disk0:/anyconnect-win-arm64-4.9.06037-webdeploy-k9.pkg 2

 anyconnect image disk0:/anyconnect-macos-4.9.06037-webdeploy-k9.pkg 3

 anyconnect image disk0:/anyconnect-linux64-4.9.06037-webdeploy-k9.pkg 4

 anyconnect enable

 tunnel-group-list enable

 cache

  disable

 error-recovery disable

group-policy GroupPolicy_XXXXXX internal

group-policy GroupPolicy_XXXXXX attributes

 wins-server none

 dns-server value 172.20.1.10

 vpn-tunnel-protocol ssl-client

 default-domain value XXX.XXXXXX.XX

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record VPN-Users-Group

 action terminate

username admin password ***** pbkdf2 privilege 15

username admin attributes

 service-type admin

 ssh authentication publickey XXXX hashed

tunnel-group XXXXXX type remote-access

tunnel-group XXXXXX general-attributes

 address-pool VPN-Pool

 authentication-server-group LDAP-Servers LOCAL

 default-group-policy GroupPolicy_XXXXXX

tunnel-group XXXXXX webvpn-attributes

 group-alias XXXXXX enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect ip-options

  inspect netbios

  inspect rtsp

  inspect sunrpc

  inspect tftp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sip 

  inspect skinny 

  inspect snmp

policy-map type inspect dns migrated_dns_map_2

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

 profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

Cryptochecksum:XXXXXXX

: end

no asdm history enable
4 REPLIES 4
Sheraz.Salim
VIP Advocate

could you show the output of show route on your vasa. Also you missing nat rules for anyconnect if you using anyconnect for full tunnel

 

here and here  is the configuration of the anyconnect will guide you. to setup a best practice configuration.

please do not forget to rate.

Hi there. Many thanks for your reply. There are two routes:

 

route OUTSIDE 0.0.0.0 0.0.0.0 172.20.10.1
route INSIDE 0.0.0.0 0.0.0.0 172.20.1.1 tunneled

 

And thats the NAT Rule I have:

# sh nat

Manual NAT Policies (Section 1)
1 (outside) to (inside) source dynamic any interface 
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface 
    translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6 
    translate_hits = 0, untranslate_hits = 0
Peter Koltl
Frequent Contributor

Does it have similar performance when DTLS is disabled?

yes peter noted the same issue with DTLS.

please do not forget to rate.
Content for Community-Ad