I have the same problem with preformance on AnyConnect. User doesn't notice it as much but on a fast internet connection (20Mbs up/down), I get about 15/15 Mbs/sec on down/up over IPSEC but is getting about 1.8/1.5 Mbs/sec on AnyConnect. On the ASA we are running AnyConnect with DTLS. I have tried upgrading to the latest 8.3.1(4) code and have tired all different SSL encrytpion (AES, AES 256, 3DES, RC4), TLS only, with DTLS. See no improvement with AnyConnect tunneling at all with the different settings.I also tired different MTU on the client ..going from 1000, 1100, 1200, 1300, 1400.

Same problem...

Does anyone found a solution?

Th.

Guys,

DTLS will eliminate some of the shortcoming TLS, but it's not a one shot solution for every scenario.Enabling DTLS is not same as USING dtls.

If compression is enabled - disable it.

Mentioned MTU problems indeed a good way to start, much more informative would be for you to tell us, how was testing done, what protocol etc.

Please gather a packet capture to see if informations is dropped or delieverd out of order.

Marcin

Marcin, I have a question here. Please help me on this..

I was doing a wireshark capture on my local nic, and was trying to connect to VPN via Anyconnect. I could only see a TLSV1 protocol communicating to the destination FW IP, but on the Anyconnect statistics I could see the Transport protocol as DTLS.

Cisco AnyConnect Secure Mobility Client 3.1.05152 VPN Statistics Details
(Fri Sep 19 12:15:14 2014
)

Transport Information
    Protocol:    DTLS
    Cipher:    RSA_AES_128_SHA1
    Compression:    None
    Proxy Address:    No Proxy

What my question here is, should the Anyconnect client be using DTLS then we would be getting the DTLS protocol in our capture, correct?

True that, we've seen it in the past load balancing/shaping, SSL offloading and similar stuff can impact performance, again something usally quite easily overcome by using DTLS ;-)

Marcin

Just discovered that UDP/443 was blocked on our external firewall, thus DTLS was never in use, only TLS (visible in Anyconnect).

Now, with DTLS, the performance is around 6 times higher as it was before, even though there are around 2-4 times more still possible (in theory).

The hunt for more speed continues...

I'm in a similar boat . Initially installed was an ASA 5510 with 256 Meg. AnyConnect performance with a Win 7 PC, at a home with a 50Meg down and 5Meg up circuit, was in the low 3-4Meg. I have since ‘upgraded’ to an ASA with 1Gig of memory running 8.2.5(44) code and upgrade AnyConnect packages of 3.1.00495. Performance improved to approx 7Meg down and 5Me up.  I used the Speedtest.net web site, we’re in Raleigh, NC and tested to servers in DC area.

--------------------------------

From User’s home (50Meg down 5Meg up, Home wn 7 PC)

Without SSL:

   Download: 51 Meg

   Upload: 4.9 Meg

With SSL, old Fw:

   Download: 3.5 Meg

   Upload: 1.8 Meg

With SSL, new Fw:

   Download: 6.9 Meg

   Upload: 4.2 Meg

The Office where the firewall lives has a 100 Meg Metro-E link, Here is a speed test at the office (office PC).

Without SSL:

   Download: 67.7 Meg

   Upload: 88.3 Meg

------------------------------

Also saw

Speed test to 5510

last night at 11:30pm from my home, 10+ Meg down, 1 Meg up (basic internet service) (office laptop)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, new Fw:

   Download: 7 Meg

   Upload: 1 Meg

-----------------------------

Plus, we have a share VPN SSL box, (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service).

SSLed from home (10+Meg down 1 Meg up)

Without SSL:

   Download: 14 Meg

   Upload: 1 Meg

With SSL, to VPN Service Module

   Download: 12.5 Meg

   Upload: 1 Meg

SSLed from work to our ‘shared’ service (a Cisco VPN Service Module in a 6500 chassis) (a state of NC shared service)

100Meg link at work

Without SSL: Ashburn, VA, 1:20pm

   Download: 92.7 Meg

   Upload: 90.3 Meg

With SSL: Washington DC, 1:40pm

   Download: 18.6 Meg

   Upload: 25.7 Meg

   53 ms delay

With SSL: Ashburn, VA, 1:40pm

   Download: 16.6 Meg

   Upload: 32.5 Meg

   33 ms delay

Was DTLS active while you were connected?

You see that in Anyconnect in the connection statistics.

Here is a current connection, pulled from ASDM.  It appears to be TLS.  Was wondering how to dertemine if the connection was DTLS or TLS.  Thanks.

So applying: will force all connections to DTLS.  Is a port neccessary and how do I accomondate it in the Fw config?

webvpn

  dtls port

SSL-TunnelRC4    Tunnel   ID: 2055.2

Assigned IP 10.52.209.63

Public IP: 98.122.146.238

Hashing: SHA1

Encapsulation: TLSv1.0

TCP Src Port 49205

TCP Dst Port 443

Authentication Mode: userPassword

Idle Time Out: 30 Minutes

Idle TO Left: 29 Minutes

Client Type: SSL VPN Client

Client Ver: Cisco AnyConnect VPN Agent for Windows 3.1.00495

Packets Tx: 134019

Packets Rx: 102097

Packets Tx Dropped: 813

Packets Rx Dropped: 0

Just do dtls port 443, that will enable it on port 443 which you probably already have open for the web access to download the client. Otherwise you need to open that port.

To check it, use this command:

Result of the command: "sh vpn- any"

Username     : blablabla               Index        : 9918
Assigned IP  : 172.16.0.20          Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AES256 AES256 AES256   Hashing      : SHA1 SHA1 SHA1
Bytes Tx     : 822960622              Bytes Rx     : 43702669
Group Policy : groupname              Tunnel Group : DefaultWEBVPNGroup
Login Time   : 10:04:06 CEDT Wed Jul 10 2013
Duration     : 7h:40m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

[edit]

It will not force the clients to use DTLS, it will only enable it for them to use. The client still has to successfully negotiate it to use it.