I identified 3 problems at a ASA setup which is used as VPN concentrator for Anyconnect DTLS VPN clients. Preferred used here is DTLS, IPSEC only as fallback. On this gateway over 1000 users are concurrent connected.
Problem 1: SSL LZS compression is enabled#
LZS compression comes with 8.4.2.8 and should only be used on low speed remote access connections. Today you have high speed connections like VDSL 50-250 MBit/s which definitive kills the ASA because packets arrive quickly and must be cached until it can be deflated.
Quote from Cisco documentation:
LZS Compression Cisco now supports compression for DTLS and TLS on AnyConnect 3.0.3050 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. You enable compression in the webvpn submode of the group policy and username configuration modes. This feature enhances migration from the legacy VPN clients. You must have ASA release 8.4.2.8 or later for support of the LZS compression feature. Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
I recommend to disable in the tunnel group the compression.
Problem 2: Crypto accelerator is in default configuration#
The ASA 5500-X platform has dedicated crypto accelerator processors which handles IPSEC and DTLS processing. Per default 5 cores are used for IPSEC and only 3 cores for SSL. If you have an environment where you do only SSL VPN it makes sense to give SSL as much power as possible.
Before I changed the setting on the ASA we were able to perfom 500-700 MBit/s trough tunnels after change we can use up to 1000 GBit/s which is the limit on this platform. Also CPU load went down to a normal level :-)
Check current settings:
# show crypto accelerator load-balance
[..]
Crypto SSL Load Balancing Stats:
==================================
Engine Crypto Cores SSL Sessions Active Session
Distribution (%)
====== ============== =========================== ================
0 IPSEC 5, SSL 3 Total: 3212457 Active: 1177 0.0%
[..]
Quote from Cisco documentation:
Configure the Pool of Cryptographic Cores You can change the allocation of cryptographic cores on Symmetric Multi-Processing (SMP) platforms to increase the throughput of AnyConnect TLS/DTLS traffic. These changes can accelerate the SSL VPN datapath and provide customer-visible performance gains in AnyConnect, smart tunnels, and port forwarding. These steps describe configuring the pool of cryptographic cores in either single or multiple context mode.
Specify how to allocate crypto accelerator processors: crypto engine accelerator-bias
• balanced—Equally distributes cryptography hardware resources (Admin/SSL and IPsec cores).
• ipsec—Allocates cryptography hardware resources to favor IPsec (includes SRTP encrypted voice traffic). This is the default bias on ASA 5500-X series devices.
• ssl—Allocates cryptography hardware resources to favor Admin/SSL. Use this bias when you support SSL-based AnyConnect remote access VPN sessions.
Example: hostname(config)# crypto engine accelerator-bias ssl
Change it with the command crypto engine accelerator-bias ssl in configure mode.
Afterwards it should look like this:
# show crypto accelerator load-balance
[..]
Crypto SSL Load Balancing Stats:
==================================
Engine Crypto Cores SSL Sessions Active Session
Distribution (%)
====== ============== =========================== ================
0 IPSEC 1, SSL 7 Total: 3212457 Active: 1357 100.0%
[..]
More infos see Anyconnect FAQ document
Problem 3: Choose the right encryption settings#
You should use AES-GCM because it is faster on clients and on the VPN gateway as well. Most CPUs have hardware support for AES-GCM which relieve load on both sites.
See Cisco Anyconnect implementation and performance reference for further details.