cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
37846
Views
15
Helpful
21
Replies

Performance : Anyconnect vs. IPSEC

Darthkim_2
Level 1
Level 1

Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.

However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.

From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.

Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?

Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.

21 Replies 21

Jennifer Halim
Cisco Employee
Cisco Employee

One of the reason why AnyConnect could be slower than IPSEC is because AnyConnect by default uses TCP/443, and IPSEC uses either ESP protocol or UDP/4500 if the tunnel goes through PAT device.

When comparing TCP and UDP protocol, TCP is connection oriented protocol, hence, the normal TCP window scaling, retransmission, etc can slow down file transfer (FTP/CIFS) when compared to UDP.

If you would like to continue using TCP for your AnyConnect connection, you can lower the MSS size a little so less packet fragmentation. On the ASA, you can configure "sysopt connection tcpmss 1300".

Alternatively, for AnyConnect connection, you can configure it to use DTLS (UDP/443) which would be negotiated first when AnyConnect client connects and if UDP/443 is blocked, it will fall back to TLS (TCP/443). It can be configured as follows:

webvpn

  dtls port

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/d2.html#wp1910316

Hope that helps.

I have the same problem with preformance on AnyConnect. User doesn't notice it as much but on a fast internet connection (20Mbs up/down), I get about 15/15 Mbs/sec on down/up over IPSEC but is getting about 1.8/1.5 Mbs/sec on AnyConnect. On the ASA we are running AnyConnect with DTLS. I have tried upgrading to the latest 8.3.1(4) code and have tired all different SSL encrytpion (AES, AES 256, 3DES, RC4), TLS only, with DTLS. See no improvement with AnyConnect tunneling at all with the different settings.I also tired different MTU on the client ..going from 1000, 1100, 1200, 1300, 1400.

Same problem...

Does anyone found a solution?

Th.

Guys,

DTLS will eliminate some of the shortcoming TLS, but it's not a one shot solution for every scenario.Enabling DTLS is not same as USING dtls.

If compression is enabled - disable it.

Mentioned MTU problems indeed a good way to start, much more informative would be for you to tell us, how was testing done, what protocol etc.

Please gather a packet capture to see if informations is dropped or delieverd out of order.

Marcin

Marcin, I have a question here. Please help me on this..

 

I was doing a wireshark capture on my local nic, and was trying to connect to VPN via Anyconnect. I could only see a TLSV1 protocol communicating to the destination FW IP, but on the Anyconnect statistics I could see the Transport protocol as DTLS.

 

Cisco AnyConnect Secure Mobility Client 3.1.05152 VPN Statistics Details
(Fri Sep 19 12:15:14 2014
)

Transport Information
    Protocol:    DTLS
    Cipher:    RSA_AES_128_SHA1
    Compression:    None
    Proxy Address:    No Proxy

 

What my question here is, should the Anyconnect client be using DTLS then we would be getting the DTLS protocol in our capture, correct?

 

gherbstman
Level 1
Level 1

One other thought, is the HTTPS traffic being inspected somewhere? Maybe on the client end. We have often found firewall inspections slow down certain traffic. HTTP traffic is often more deeply inspected where IPSEC traffic is not.

Byte Solutions, Managed Computer Services
https://www.bytesolutions.com 561.338.9696

True that, we've seen it in the past load balancing/shaping, SSL offloading and similar stuff can impact performance, again something usally quite easily overcome by using DTLS ;-)

Marcin

patoberli
VIP Alumni
VIP Alumni

Have you found any solution? We also seem to face this issue

Just discovered that UDP/443 was blocked on our external firewall, thus DTLS was never in use, only TLS (visible in Anyconnect).

Now, with DTLS, the performance is around 6 times higher as it was before, even though there are around 2-4 times more still possible (in theory).

The hunt for more speed continues...

I'm in a similar boat . Initially installed was an ASA 5510 with 256 Meg. AnyConnect performance with a Win 7 PC, at a home with a 50Meg down and 5Meg up circuit, was in the low 3-4Meg. I have since ‘upgraded’ to an ASA with 1Gig of memory running 8.2.5(44) code and upgrade AnyConnect packages of 3.1.00495. Performance improved to approx 7Meg down and 5Me up.  I used the Speedtest.net web site, we’re in Raleigh, NC and tested to servers in DC area.

--------------------------------

From User’s home (50Meg down 5Meg up, Home wn 7 PC)

Without SSL:

   Download: 51 Meg

   Upload: 4.9 Meg

With SSL, old Fw:

   Download: 3.5 Meg

   Upload: 1.8 Meg

With SSL, new Fw:

   Download: 6.9 Meg

   Upload: 4.2 Meg

The Office where the firewall lives has a 100 Meg Metro-E link, Here is a speed test at the office (office PC).

Without SSL:

   Download: 67.7 Meg

   Upload: 88.3 Meg

------------------------------

Also saw

Speed test to 5510

last night at 11:30pm from my home, 10+ Meg down, 1 Meg up (basic internet service) (office laptop)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, new Fw:

   Download: 7 Meg

   Upload: 1 Meg

-----------------------------

Plus, we have a share VPN SSL box, (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service).

SSLed from home (10+Meg down 1 Meg up)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, to VPN Service Module

   Download: 12.5 Meg

   Upload: 1 Meg

SSLed from work to our ‘shared’ service (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service)

100Meg link at work

Without SSL: Ashburn, VA, 1:20pm

   Download: 92.7 Meg

   Upload: 90.3 Meg

With SSL: Washington DC, 1:40pm

   Download: 18.6 Meg

   Upload: 25.7 Meg

   53 ms delay

With SSL: Ashburn, VA, 1:40pm

   Download: 16.6 Meg

   Upload: 32.5 Meg

   33 ms delay

Was DTLS active while you were connected?

You see that in Anyconnect in the connection statistics.

Here is a current connection, pulled from ASDM.  It appears to be TLS.  Was wondering how to dertemine if the connection was DTLS or TLS.  Thanks.

So applying: will force all connections to DTLS.  Is a port neccessary and how do I accomondate it in the Fw config?

webvpn

  dtls port

SSL-TunnelRC4    Tunnel   ID: 2055.2

Assigned IP 10.52.209.63

Public IP: 98.122.146.238

Hashing: SHA1

Encapsulation: TLSv1.0

TCP Src Port 49205

TCP Dst Port 443

Authentication Mode: userPassword

Idle Time Out: 30 Minutes

Idle TO Left: 29 Minutes

Client Type: SSL VPN Client

Client Ver: Cisco AnyConnect VPN Agent for Windows 3.1.00495

Packets Tx: 134019

Packets Rx: 102097

Packets Tx Dropped: 813

Packets Rx Dropped: 0

Just do dtls port 443, that will enable it on port 443 which you probably already have open for the web access to download the client. Otherwise you need to open that port.

To check it, use this command:

Result of the command: "sh vpn- any"

Username     : blablabla               Index        : 9918
Assigned IP  : 172.16.0.20          Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AES256 AES256 AES256   Hashing      : SHA1 SHA1 SHA1
Bytes Tx     : 822960622              Bytes Rx     : 43702669
Group Policy : groupname              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:04:06 CEDT Wed Jul 10 2013
Duration     : 7h:40m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

      

[edit]

It will not force the clients to use DTLS, it will only enable it for them to use. The client still has to successfully negotiate it to use it.

Dan Schauss
Level 1
Level 1

will do.  sh vpn-any doesn't take.

Can't seem to find the same info as from ASDM.  Seeing only one DTLS session below.

dhr-5668-fw# sh v?

  version          vlan    vpdn    vpn

  vpn-sessiondb

dhr-5668-fw# sh vpn-sessiondb ?

  detail       Show detailed output

  email-proxy  Email-Proxy sessions

  full         Output formatted for data management programs

  index        Index of session

  l2l          IPsec LAN-to-LAN sessions

  ratio        Show VPN Session protocol or encryption ratios

  remote       IPsec Remote Access sessions

  summary      Show VPN Session summary

  svc          SSL VPN Client sessions

  vpn-lb       VPN Load Balancing Mgmt sessions

  webvpn       WebVPN sessions

  |            Output modifiers

 

dhr-5668-fw# sh vpn-sessiondb

Active Session Summary

Sessions:

                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :      23 :       1899 :              64

    Clientless only     :       0 :        301 :               5

    With client         :      23 :       1598 :              60 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       2 :         15 :               3

  IPsec Remote Access   :       0 :          0 :               0

  VPN Load Balancing    :       0 :          0 :               0

  Totals                :      25 :       1914

License Information:

  IPsec   :    250    Configured :    250    Active :      2    Load :   1%

  SSL VPN :    250    Configured :    250    Active :     23    Load :   9%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          2 :         15 :               3

  SSL VPN             :         23 :       1899 :              64

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :         25 :       1914

Tunnels:

                      Active : Cumulative : Peak Concurrent

  IKE           :          2 :         15 :               3

  IPsec         :          5 :         64 :               6

  IPsecOverNatT :         10 :        167 :              11

  Clientless    :         23 :       1899 :              64

  SSL-Tunnel    :         23 :       3128 :              60

  DTLS-Tunnel   :          0 :          1 :               1

  Totals        :         63 :       5274