Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
0
Helpful
1
Replies

experincing slowness to access application servers with SSLVPN

vinodjad1234
Level 2
Level 2

‎08-28-2011 11:45 PM

Hi Experts,

I have issue with SSLVPN . details explaination is as below :

We have main office(Data Center )  in US ( Texas ) and service center in India from where we support globally. we one one third party client who is sitting in india ( Not in service center but different location ( city or office ) .

The clients who are sitting at different location , they connect to SSLVPN from there own network and they access our office application servers or intranet.

currently they are facing issue with slowness when they try to access any application through SSLVPN.

Could anyone suggest for doing workaround for mentioned issue ?

As of now , I checked utilization of our MPLS cloud link which is very low ( 10mps - only 2mps utilization. ) Secondly i asked user to tracert the the destination ip .

If you could give some idea about workaround , it would be great help for me to dig out the issue.

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Parminder Sian
Level 1
Level 1

‎08-31-2011 12:41 AM

Hi Vinod,

Datagram Transport Layer Security (DTLS) avoids  latency and bandwidth problems associated with some SSL-only  connections, including AnyConnect connections, and improves the  performance of real-time applications that are sensitive to packet  delays. DTLS allows the AnyConnect client that establishes an SSL VPN  connection to use two simultaneous tunnels, an SSL tunnel and a DTLS  tunnel.

If you use DTLS, it avoids latency and bandwidth problems associated  with some SSL connections and improves the performance of real-time  applications that are sensitive to packet delays. DTLS is a  standards-based SSL protocol that provides a low-latency data path that  uses UDP. DTLS can be enabled with the svc dtls enable command, as shown:

hostname(config)#group-policy sales attributes

hostname(config-group-policy)#webvpn

hostname(config-group-webvpn)#svc dtls enable

Also, if you disable compression and df-bit-ignore, latency and bandwidth problems are reduced. df-bit-ignore can be enabled and compression can be disabled as shown here:

hostname(config)#group-policy  attributes
hostname(config-group-policy)#webvpn
hostname(config-group-webvpn)#svc df-bit-ignore enable
hostname(config-group-webvpn)#svc routing-filtering-ignore enable
hostname(config-group-webvpn)#svc mtu 1200
hostname(config-group-webvpn)#svc compression none

Also, modifying outside ACLs on ASA to allow UDP port 443 will resolve the latency issue.

Hope this helps,

Sian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents