• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Increasing Cisco AnyConnect VPN Speeds

J

Jamsan

Senior member
Just came across this recently and figured I'd share my discovery. When deploying a VPN solution using the Cisco AnyConnect Client over SSL, using JUST the SSL tunnel makes things painfully slow - in the neighborhood of 1-2 Mb per sec, even if bandwidth is adequate on both ends.

The key is to enable the DTLS channel that allows traffic to flow over a UDP tunnel instead of the SSL TCP tunnel (TCP over TCP issue). Initial testing shows bandwidth in the neighborhood of 15-18 Mb on the downstream front (limited now by the client's ISP).

To enable, use the following resource from Cisco and allow the UDP port through to the ASA if it's behind another firewall: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1059928
 
I seem to remember that DTLS was only for low-latency applications, like VOIP. I read about this like two years ago and my memory is fuzzy (which should preclude me from posting, but hey its anandtech) but I seem to remember that all the other data traffic would traverse the standard SSL tunnel.

FWIW I've deployed Anyconnect SSL on a 5505, 5510, and 5550 (all running 8.2 code) with no performance issues.
 
From what I've seen thus far, all traffic traverses the DTLS tunnel and only some control traffic goes across the SSL tunnel. In the event the DTLS tunnel cannot build, all traffic goes over SSL.

I did actually make a 2nd change at the same time (disable compression), so I'm actually not sure what had the direct effect on the bandwidth increase. I'll have to disable DTLS later tonight and have another go at my bandwidth numbers, but there's definately an increase from before and after.
 
Compression can make major differences in performance, one way or the other. I'll be interested to hear what you discover.
 
I just happened to read the Anyconnect FAQ. It is suggested that DTLS does improve performance in terms of applications using UDP for latency and bandwidth. How do you guys measure how much bandwidth each VPN session is consuming. From the ASA output r u viewing or use any external tools to monitor it. Thanks
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top