- last edited on by
Hilda Arteaga
| Español | Português | Français | Русский | 日本語 | 简体中文 |
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the 
button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
Dinesh Moudgil is a High Touch Technical Support (HTTS) Engineer with the Security team at Cisco. He has been working on Cisco technologies for more than 6 years focusing on Cisco Next Generation Firewalls, Intrusion Prevention Systems, Identity Management and Access Control (AAA) and VPNs. He holds a CCNP, CCDP and CCIE #58881 certifications, and multiple vendors certifications such as ACE, PCNSE and VCP.
Pulkit Saxena works as High Touch Technical Support (HTTS) Engineer in Security Domain with Cisco bring nearly 7 years of experience in the industry to the team. He has hands on experience with multiple firewalls, different VPN solutions, AAA and Next Generation IPS along with delivering multiple trainings. Pulkit holds certifications from multiple vendors, namely Cisco and Juniper, (CCIE Security and JNCIA).
Jason Grudier is the Technical leader on the VPN TAC team in Raleigh, NC. He has been working for Cisco on the VPN team for six years. Prior to joining the team, he was a network engineer at Labcorp. He works primarily with AnyConnect troubleshooting and configuration across all Cisco platforms as well as DMVPN, GETVPN, Radius, LDAP and Certificate authentications.
Gustavo Medina is a Systems Sales Engineer with the Enterprise Networking Sales team. He has more than 10 years of experience in security and enterprise networking. In his career he has focused on different tasks from technical escalations and partner adoption to the revision of Cisco Certification evaluations. Gustavo holds a CCNA, CCNP CCSI, and a CCIE in security (#51487).By posting a question on this event you're giving permission to be translated in all languages we have in the community.
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Hello Marvin,
Here are some key points:
1. Use AnyConnect 4.7.x or higher as we fixed some buffer and HW acceleration issues.
2. Use DTLS v1.2 or IKEv2, as they will result in higher performance. Do *not* use TLS only as a transport protocol, as this will result in decreased/poor performance.
NOTE: DTLS 1.2 support was introduced in ASA versions 9.10.x and above. Previous ASA versions do not support DTLS 1.2. Therefore, and to avoid Bug CSCvp07143 
= DTLS 1.2 and AnyConnect oMTU, the following minimum versions of ASA are required:
- 9.10(1)22 or higher - latest 9.10.x version recommended
- 9.10(2)1 or higher - latest 9.12.x version recommended
3. Depending on headend hardware in use and/or Customer specific ASA/FPR environments, configuration(s) regarding 'crypto engine accelerator-bias' should be reviewed and/or modified if applicable. Apply the appropriate bias settings that best suits the Customer environment/configuration, taking into consideration the primary transport protocol being used DTLSv1.2 or IKEv2. In your specific case this is not needed as you use a 2100 but use the below table for future reference:
4. Cipher Suite: Ideally, the AES-GCM will provide the best performance results.
5. MTU configuration on the Group Policy: Ideally the higher the better, never exceeding 1406. Suggested value being 1406 (at minimum ‘start’ at 1406, lowering only to suite Customer environment(s)
6. The AnyConnect TunnelOptimizations Custom Attribute MUST BE configured/enabled on ASA/Group Policy:
webvpn anyconnect-custom-attr TunnelOptimizationsEnabled description Tunnel Optimizations Enabled anyconnect-custom-data TunnelOptimizationsEnabled False false anyconnect-custom-data TunnelOptimizationsEnabled True true group-policy <Group Policy Name> attributes anyconnect-custom TunnelOptimizationsEnabled value True
All that being said, I've been able to get 200Mbps from a single client in my lab setup.
