Solved: AnyConnect Speed Issues

dcanady55 · ‎04-18-2024

Hello,

FTD's 2110 at 7.3.1.1.

I have two datacenters running that code on 2110s. They have the same configuration for the most part and the same size fiber internet 500 Mbps circuit. Coming in on VPN1, running a speed test from my home connection is about 93 Mbps down and 9 Mbps up, and on VPN2, I get around 25 Mbps down and 8 Mbps up (I'm paying for 100 down 10 up). I don't have QoS turned on, and I've checked for all the usual speed and duplex mismatches and verified with the ISP, and they claim all is well on their end. I went through the VPN best practice guide that Marvin posted about, and everything was in order. No CPU issues were observed, using DTLSv1.2. Is there anything else that I can look at? I will bypass the ACP after hours and test again to see if there's something in our ACP that could be causing this, but it's pretty identical to my other site. The site with issues will be seen on avg. 50 users vs. a few hundred on the site that's working properly.

Thanks

dcanady55 · ‎04-29-2024

Hello MHM,

Yes, I tried lowering the MTU and that didn't resolve the issue. I ended up traveling to the location this weekend and testing outside of our equipment. The speeds were way off and so in the end its something going on with our provider. Thanks for all the suggestions though.

View solution in original post

MHM Cisco World · ‎04-19-2024

Two point must be check

1- mtu used by asa

2- is real user use dtls or not?

For second point

Show vpn sessiondb anyconnect detail

Check if use use dtls or not

MHM

dcanady55 · ‎04-19-2024

Using the default 1406 and yes to DTLS.

MHM Cisco World · ‎04-19-2024

Anyconnect mtu 1400 <- add this under webvpn

MHM

MHM Cisco World · ‎04-26-2024

any update ?

MHM

dcanady55 · ‎04-29-2024

Hello MHM,

Yes, I tried lowering the MTU and that didn't resolve the issue. I ended up traveling to the location this weekend and testing outside of our equipment. The speeds were way off and so in the end its something going on with our provider. Thanks for all the suggestions though.

MHM Cisco World · ‎04-30-2024

Thanks to you a lot for update us

have a nice day

MHM

tvotna · ‎04-19-2024

Do you use TCP for tests? Try UDP (e.g. iperf) and then iperf over TCP. For example, site 2 may have higher delay or packet loss which can impact TCP throughput a lot. On the firewall check how drops increase: "show asp drop | i SVC". Sometimes mp-svc-flow-control can increase significantly which means that internal queue becomes full and packets are dropped.

MTU and fragmentation is rarely an issue, because ASA calculates TLS and DTLS MTU automatically from the crypto overhead and announces them to the client. The client assigns DTLS MTU to the virtual adapter. If DTLS is not established due to some reason, the VA is reset to assign TLS MTU to it. If DTLS is established, everything works smoothly. For TCP traffic fragmentation should never happen, at least because of the default "sysopt conn tcpmss 1380". Anyway, I typically recommend to set DTLS/TLS MTU explicitly to a value which is small enough for your ISP circuit to prevent fragmentation after adding encapsulation overhead. In this case firewall need not change TCP MSS:

sysopt conn tcpmss 0
group-policy <name> attributes
 webvpn
  anyconnect mtu 1400

You need to figure out how to configure this on FTD though.

dcanady55 · ‎04-19-2024

Hello,

Would be TCP and it's not a site to site VPN rather anyconnect clients on the internet. I did bypass my ACP and that didn't help. I checked for ASP drops while running my speed test and there was zero.

tvotna · ‎04-19-2024

Of course this is AnyConnect. I meant that site 2 (VPN2) may have packet drops or higher delay, that is why you need to test with UDP and tools like iperf which collect stats and can display loss.