cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
139654
Views
0
Helpful
15
Replies

Slow speed with Anyconnect VPN

Net_Stef
Beginner
Beginner

Hello all,

I use a Cisco ASA 5505 with Anyconnect installed. I have a 50Mbps Internet Feed, and when i connect to Anyconnect VPN, my speed is limited to around 3Mbps.

I'm pasting here the configuration file of ASA. What are the possible reasons of this behavior?

 

Thanks in advance,

Stef

1 Accepted Solution

Accepted Solutions

This is because my internet connection is asymetrical, and upload speed is around 5Mbps.

View solution in original post

15 Replies 15

omz
VIP Alumni
VIP Alumni

Hi 

One possible reason can be a valid license. 

 

Hello omz,

these are the specs of my license:

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 24 perpetual
Total UC Proxy Sessions : 24 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Spooster IT Services
Rising star
Rising star

Hi,

 

Please answer the below queries:

Internet feed to your Laptop/Home PC(Home Internet) is 50 Mbps, right?
What is the speed/bandwidth of your Office Internet?
How are you testing the speed from your Laptop/Home PC?

If you have lesser speed of Office Internet and testing Internet speed while connected to Any-Connect
you can use split tunneling feature to get the Internet traffic directly out from your Laptop/Home PC.


Split Tunneling makes it so that only VPN traffic that is destined for the company's network goes through the VPN tunnel. All other traffic goes through the user's normal Internet connection. Split tunnel defines traffic to which subnets will be encrypted.


Here is the link explaining how to configure the Split tunnel.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

Spooster IT Services Team

Hello,

To answer to your questions:

Internet feed to your Laptop/Home PC(Home Internet) is 50 Mbps, right?

Right


What is the speed/bandwidth of your Office Internet?

Much more than 50 Mbps


How are you testing the speed from your Laptop/Home PC?

I'm testing via Speedtest, also tested by downloading test files.

 

I do not want to use Split Tunneling, since i want all traffic to pass through tunnel.

Shakti Kumar
Cisco Employee
Cisco Employee

Hi Net_Stef,

Let us first look into the outputs and check how the tunnel looks like

Please share the output of, when you connect using anyconnect

sh vpn-sessiondb detail anyconnect

post that apply the captures using the below command

capture asp type asp-drop all

 

perform a small file transfer over the VPN and then share the output of the capture using the command

sh capture asp

 

Thanks

Shakti

Hello Shakti,

 

This is the output you need:

PIGAL# sh vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : stef.xen Index : 9
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 21558143 Bytes Rx : 973890
Pkts Tx : 16648 Pkts Rx : 10339
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_ANYCONNECT Tunnel Group : ANYCONNECT
Login Time : 21:59:11 EEST Tue Jun 18 2019
Duration : 0h:01m:49s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 9.1
Public IP : 5.144.192.91
Encryption : none Hashing : none
TCP Src Port : 49852 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 7514 Bytes Rx : 766
Pkts Tx : 5 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 9.2
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Encryption : AES256 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 49855
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 7566 Bytes Rx : 601
Pkts Tx : 6 Pkts Rx : 6
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 9.3
Assigned IP : 10.10.5.10 Public IP : 5.144.192.91
Encryption : AES256 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 54072
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 1440 Minutes Conn TO Left : 1438 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.5.04029
Bytes Tx : 22196507 Bytes Rx : 982721
Pkts Tx : 17112 Pkts Rx : 10571
Pkts Tx Drop : 0 Pkts Rx Drop : 0

NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 112 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :

 

PIGAL# sh capture asp

30 packets captured

1: 22:13:13.613447 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
2: 22:13:17.619383 802.1Q vlan#1234 P0 216.146.43.70.80 > 10.10.2.100.33894: R 1595073468:1595073468(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
3: 22:13:21.844743 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134
4: 22:13:28.776922 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
5: 22:13:29.499867 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
6: 22:13:30.262956 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
7: 22:13:31.270478 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
8: 22:13:34.305221 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
9: 22:13:37.268708 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
10: 22:13:37.758505 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
11: 22:13:39.128899 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
12: 22:13:39.211536 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
13: 22:13:40.291763 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137
14: 22:13:43.308440 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
15: 22:13:43.658581 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
16: 22:13:46.318114 802.1Q vlan#1234 P0 10.10.5.10.54068 > 239.255.255.250.1900: udp 137 Drop-reason: (no-route) No route to host
17: 22:13:51.996713 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134 Drop-reason: (sp-security-failed) Slowpath security checks failed
18: 22:14:02.828509 802.1Q vlan#1234 P0 216.146.43.70.80 > 10.10.2.100.33910: R 161235794:161235794(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
19: 22:14:05.097361 802.1Q vlan#1234 P0 131.186.113.70.80 > 10.10.5.10.50257: R 438254390:438254390(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
20: 22:14:10.868439 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
21: 22:14:11.272660 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
22: 22:14:12.009719 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
23: 22:14:13.606764 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
24: 22:14:13.705209 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133 Drop-reason: (sp-security-failed) Slowpath security checks failed
25: 22:14:14.143913 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
26: 22:14:14.890716 802.1Q vlan#1234 P0 192.168.1.6.137 > 192.168.1.255.137: udp 50
27: 22:14:20.431694 802.1Q vlan#1234 P0 8.8.4.4.53 > 10.10.2.100.51648: udp 51 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 22:14:22.123955 802.1Q vlan#2 P0 10.10.2.100.17500 > 10.10.2.255.17500: udp 134 Drop-reason: (sp-security-failed) Slowpath security checks failed
29: 22:14:32.837526 802.1Q vlan#1234 P0 34.214.124.143.443 > 10.10.2.100.33899: R 2794890956:2794890956(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
30: 22:14:43.779668 802.1Q vlan#2 P0 10.10.2.101.17500 > 10.10.2.255.17500: udp 133
30 packets shown

 

Thanks,

Stef

Shakti Kumar
Cisco Employee
Cisco Employee

Hi ,

 

 

The output looks good, we are forming DTLS tunnel and then there are no drops on the captures

 

 

Let's do a comparitative analysis of the file downloads

 

since the split-tunnel is tunnel all , internet traffic is going via ASA

 

Lets download a 1 gb file from the below website when not connected to VPN and look at the time it takes for download

 

https://www.thinkbroadband.com/download

 

70 mins @ 2 Mbps
17 mins @ 8 Mbps
5 mins @ 30 Mbps
3 mins @ 60 Mbps
75 secs @ 120 Mbps

 

Similarily lets download the same file when connected via AnyConnect and download the same file

 

Speed with AnyConnect would be 30-40% less because of the additonal encryption/decryption and the  additional path that the packet has to travserse anything beyond that is a concern.

 

Let me know the results

 

Thanks

Shakti

 

Hello Shakti,

The test has already been done, and the results are that the speed is reduced by 90%.

Is this behavior something normal?

Thanks,

Stef

This is because my internet connection is asymetrical, and upload speed is around 5Mbps.

I am suffering of the same issue, if i have an asymmetrical internet connection thats mean the my vpn connection download speed will be unacceptable?
My isp provide 200 mbps download rate and 5 mbps upload rate.

tmcleod
Beginner
Beginner

First time ever sharing but thought this might help some folk.  I have been struggling with how to improve VPN speed also and tried something today that definitely helped. 

 

Folks are welcome to disagree with my method but it helped us.

Our ASA's also have Firepower managing them. our main ASA is where our Anyconnect users come in.

Forgetting the firewall for a minute.  Internal users are not filtered or inspected when they access an internal server since their traffic does not traverse the firewall. So  why should We filter / inspect our VPN Subnet.

I added a trust policy for our VPN subnet as Source and a trust policy for VPN subnet as destination.  We are also split tunneling and use Umbrella for our DNS,

Fenwan99846
Beginner
Beginner

My service provider Speed is over 400 Mbps (my phone could up to 430 Mbps), with Anyconnect VPN, it down to 11 Mbps around. my computer test speed is 260 Mbps. 95% reduce the speed. how to resolve this issue? seriously , we all want to work from Home forever. 

We normally see this when your company requires full tunnel and doesn't have an optimized setup at their end. As an end users there is almost nothing you can do to improve it - the changes need to be made on the ASA end of the VPN.

At that end there are many things that can be done to improve performance. For example:

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579

 

Is there any sort of throttling or limiting built into the ASA VPN? It seems that way. We have people coming in thru VPN, going out to Internet, getting 3 mbps, and people in the office using the same Internet connections and getting a lot higher speed (200+ down speed, 100+ up speed), from the same speed testing site. It seems like without any restrictions, a vpn user could transfer huge files and take up all the available bandwidth, but they don't (not for lack of trying). We have optimized what we could. The ASA-5585-x-10 can encrypt 1gbps, and we are under half of that. The LAN connections are 1gbps each as are the Internet connections, and those are around 25% usage,. Its not clear why our vpn is so slow and more so today than other days. 2600 user currently, almost all Anyconnect.

tnx.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: