01-21-2016 10:25 AM - edited 02-21-2020 08:38 PM
Hello,
I have found a problem with users trying to download/file transfer from my anyconnect remote access vpn. This is hosted by an asa 5512x.
I have ran Iperf tests without the VPN, while connected to the VPN on my LAN, and at home with a 50 mb/s internet connection. I have uploaded two text documents with the results of these tests in them.
The findings of the tests lead me to believe it is the ASA causing me to lose so much bandwidth. I know encryption and the VPN session will slow you down, but I find it hard to believe that I am losing this much bandwidth through the ASA.
BTW, I have already ensured the speed on everything is hardset to 1000-full. Our LAN has a 10GB backbone.
If you have any advice on things I can check, it would be greatly appreciated.
Thanks
-Austin
01-21-2016 11:22 AM
The first thing that worries me is having the speed/duplex hard configured. Are the ports on the other end definitely using a fixed speed/duplex as well?
Both ends either have to have a fixed speed/duplex or both be auto - or you are guaranteed to have a problem.
The encryption will not have an effect that large. You should be able to get a good 100Mb/s to 200Mb/s of crypto on a 5512.
01-21-2016 11:32 AM
The speed/duplex on the other ends of the inside and outside interfaces are definitely hard set the same because I set those myself.
Here is the output of the show interfaces:
5512-VPN# show interface outSIDE
Interface GigabitEthernet0/0 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: OUTSIDE
MAC address 58f3.9cf7.8d23, MTU 1500
IP address XXX.XXX.XXX.XXX, subnet mask 255.255.254.0
404170 packets input, 67176098 bytes, 0 no buffer
Received 12750 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1201720 packets output, 1001646050 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (481/420)
output queue (blocks free curr/low): hardware (454/429)
Traffic Statistics for "OUTSIDE":
404170 packets input, 59334684 bytes
1201720 packets output, 979681694 bytes
7100 packets dropped
1 minute input rate 12 pkts/sec, 2058 bytes/sec
1 minute output rate 29 pkts/sec, 26083 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 9 pkts/sec, 1587 bytes/sec
5 minute output rate 30 pkts/sec, 29221 bytes/sec
5 minute drop rate, 0 pkts/sec
5512-VPN#
5512-VPN#
5512-VPN#
5512-VPN#
5512-VPN#
5512-VPN#
5512-VPN#
5512-VPN# show interface insIDE
Interface GigabitEthernet0/1 "INSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: INSIDE
MAC address 58f3.9cf7.8d20, MTU 1500
IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.0
1388367 packets input, 1363959904 bytes, 0 no buffer
Received 1908 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1291050 packets output, 832028423 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (504/409)
output queue (blocks free curr/low): hardware (487/416)
Traffic Statistics for "INSIDE":
1388552 packets input, 1337598951 bytes
1291050 packets output, 807423989 bytes
1798 packets dropped
1 minute input rate 80 pkts/sec, 10045 bytes/sec
1 minute output rate 86 pkts/sec, 8681 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 39 pkts/sec, 4172 bytes/sec
5 minute output rate 45 pkts/sec, 5455 bytes/sec
5 minute drop rate, 0 pkts/sec
01-21-2016 11:43 AM
To quickly rule out an MTU issue can you note the value you have for the below command (if any) and change it to the below:
sysopt connection tcpmss 1000
If this has no impact remove it again or change it back to what you currently have set.
It is possible to set the MSS in other places. Can you do a quick scan over your config for other references to mss. If they exist, can you temporary change them to 1000 please, test, and if not different change them back.
01-21-2016 11:52 AM
I had no sysopt connection tcpmss commands in the ASA. I entered this command and it had no effect to the speeds.
01-21-2016 11:55 AM
You have a 50MB/s link at home to test with. What speed is the link the ASA plugs into?
Without using the VPN, when you are at home, can you download at speeds much faster than 1Mb/s indicated by the iperf tests? You could perhaps test this using an http server (or webmail with an attachments, etc).
01-22-2016 03:11 AM
The link the ASA plugs into is a 1gig link. I download things at home in the 30-40 mb/s range.I tested with some downloads from Microsoft and a few other places.
01-22-2016 12:45 PM
I wonder if one of the service providers is doing traffic shaping of UDP traffic. Try configuring AnyConnect to only use TLS instead of DTLS;
webvpn
enable outside tls-only
01-25-2016 03:25 AM
I gave this a shot, but my speeds remained the same as they were with DTLS
01-25-2016 10:39 AM
Which version of ASA code are you running? Which version of AnyConnect?
01-25-2016 11:11 AM
ASA version: 9.2(3)
ASDM version: 7.4(1)
Anyconnect version: 4.1.06020
01-25-2016 11:18 AM
I think it is a bit of a long shot, but 9.2(4) is out for the ASA, and it is a gold star release, so try going to that.
I haven't personally used the newer 4.x AnyConnect clients yet, but in that train I see 4.1.08005 is the current release, so I would try going to that version as well.
01-28-2016 03:32 AM
Sorry, it took me a few days to get the ASA upgraded since I couldn't restart it with users logged in. I finally got it upgraded this morning and there is no change in the speeds
01-25-2016 11:20 AM
Do you have a "AnyConnect Plus or Apex" licence? If not, then there is no advantage to running AnyConnect 4.x. Lets see what the result of the upgrade is first. If no progress then I think we should go to an AnyConnect 3.x release.
01-25-2016 11:25 AM
We do have the Apex licensing. I will try upgrading the software and let you know how it goes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide