Re: Cisco AnyConnect speed woes!
We seem to have narrowed down the problem to our Cisco SCE packet shaper. It seems to be misclassifying about 15-20% of the DTLS traffic into encrypted bittorrent and since we have shaping rules in place to limit torrent traffic, this was causing the issue. To resolve the issue, we put the IP of our VPN ASA into a different package on the SCE and did not apply any shaping rules to it. We are still monitoring to be sure but we are quite confident this was the issue. So note to anyone out there using a shaper and has a DTLS VPN behind it, check your classifications or whitelist your VPN box! - Zachary On Tue, Dec 9, 2014 at 7:39 PM, Zachary McGibbon < zachary.mcgibbon+na...@gmail.com> wrote: > > Hi Roberto, > > - We have disabled the DTLS compression feature, this has been verified on > the client side that compression says 'None' > - We are not using the VPN load balancing feature, the two boxes are > running in an active/standby configuration > - Yes we are tunnelling all traffic however local lan access is available > if the user checks the checkbox in their client > - We are inspecting the following: > dns preset_dns_map, ftp, h323 h225, h323 ras, rsh, rtsp, esmtp, sqlnet, > skinny, sunrpc, xdmcp, sip, netbios, tftp, ip-options, icmp > - Jumbo frames are not configured > - We are using the following encryption methods: AES128 and 2048 bit > certificate > - We are running ASA 9.2.2.8 on a 5545X > - We are pushing the Anyconnect client version 3.1.05182 > > Also, I should mention what I mean when we see slow speeds. For example, > my internet connection at home is a cable modem with 30mb down, 10mb up. I > have done a path mtu discovery to my VPN at work and it is 1500. When I > run an iperf to a server at the office without vpn I get about 28mb down, > 9.5mb up. When I connect to vpn, the iperf to the same server is about > 1.2mb down, and 900k up. This is way too slow! > > - Zachary > > On Tue, Dec 9, 2014 at 4:39 PM, Roberto wrote: > >> > The big issue we are having is that many of our users are complaining >> of low speed when connected to the VPN. >> Please can you indicate more details ? >> >> Is it enabled on the ASA the "compression" feature ? >> Is it enabled on the ASA the VPN Load Balancing feature ? >> Are you using the AnyConnect FULL TUNNEL mode ? >> Which are the inspection configured on the ASA for the "remote access" >> clients ? >> Have you configured the Jumbo MTU on the CISCO ASA interfaces ? >> Which encryption are configured on the ASA (are you using Suite B >> Algorithms) ? >> Which version of ASA are you using ? >> Which version of AnyConnect are you using ? >> >> >> Note: >> protocols such as L2TP/IPSec are not hardware accelerated -- the IPSec >> portion of L2TP/IPSec is hardware-accelerated, but the L2TP portion is not. >> Likewise, the SSL portions of SVC and WebVPN use hardware acceleration, >> but the application layer protocols are done in software. >> >> >> Best Regards, >> >> _ >> Roberto Taccon >> >> e-mail: robe...@ipnetworks.it >> mobile: +39 340 4751352 >> fax: +39 045 4850850 >> skype: roberto.taccon >> >> -Messaggio originale- >> Da: NANOG [mailto:nanog-boun...@nanog.org] Per conto di Zachary McGibbon >> Inviato: martedì 9 dicembre 2014 21.18 >> A: Matthew Huff >> Cc: NANOG >> Oggetto: Re: Cisco AnyConnect speed woes! >> >> We are trying to use SSLVPN (udp 443) and results are really all over the >> place. Most of our complaints are users connecting on Teksavvy however we >> haven't been able to reach anyone in their network team to find out if they >> are doing any filtering or shaping on their side. >> >> We don't have a lot of traffic coming through Cogent, most of the users >> are local here in Montreal on either Bell or Videotron and they traverse >> through the QIX (www.qix.ca) >> >> On Tue, Dec 9, 2014 at 3:03 PM, Matthew Huff wrote: >> >> > Are you using SSLVpn or IPSEC with anyconnect? I have had more luck >> > with performance with IPSEC than SSLVpn. >> > >> > Also, just because your ISP is saying that they aren't >> > shaping/filtering, doesn't mean they aren't. >> > >> > We had major issues with users using AnyConnect when it was >> > transversing Cogent. We were getting 5-10% packet loss (although the >> > Cisco stats didn't show it), and it was choking on it. >> > >> > >> > Matthew Huff | 1 Manhattanville Rd >>
Re: Cisco AnyConnect speed woes!
On 12/11/2014 04:18 PM, Roy Hirst wrote: Confidently based on no knowledge at all - *Roy Hirst* | 425-556-5773 | 425-324-0941 cell XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead No, sure, but are you sure that congestion is not dropping a packet somewhere in the end-to-end? If you offend TCP it will likely cut the sender's packet transmit rate, even if the "possible" VPN rate is much higher. - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet Internet would mean maybe a proxy or firewall then, with too-small buffers or an old-time TCP/IP stack? Just a thought. If you have any ideas on what we could try net, please let me know! - Zachary What OS builds? At one point the code had an 8 packet hard coded window per tcp flow, which capped ssl over tcp window size to about 5mbps depending on RTT. Recent 8 branches raised this to something more reasonable that capped around 20 mbps. DTLS over udp and IPSEC tunnels did not have this issue. UDP traffic does not have this problem but TCP does? Hmmm... UDP transport with DTLS or IPSEC in UDP Encapsulation doesn't need to deal with tcp window size scaling and the associated packet buffers. -James
Re: Cisco AnyConnect speed woes!
Confidently based on no knowledge at all - *Roy Hirst* | 425-556-5773 | 425-324-0941 cell XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead No, sure, but are you sure that congestion is not dropping a packet somewhere in the end-to-end? If you offend TCP it will likely cut the sender's packet transmit rate, even if the "possible" VPN rate is much higher. - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet Internet would mean maybe a proxy or firewall then, with too-small buffers or an old-time TCP/IP stack? Just a thought. If you have any ideas on what we could try net, please let me know! - Zachary What OS builds? At one point the code had an 8 packet hard coded window per tcp flow, which capped ssl over tcp window size to about 5mbps depending on RTT. Recent 8 branches raised this to something more reasonable that capped around 20 mbps.DTLS over udp and IPSEC tunnels did not have this issue. UDP traffic does not have this problem but TCP does? Hmmm... The information contained in this e-mail message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please e-mail the sender at the above e-mail address.
Re: Cisco AnyConnect speed woes!
On 12/09/2014 02:42 PM, Zachary McGibbon wrote: I'm looking for some input on a situation that has been plaguing our new AnyConnect VPN setup. Any input would be valuable, we are at a loss for what the problem is. We recently upgraded our VPN from our old Cisco 3000 VPN concentrators running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA active/standby pair. The big issue we are having is that many of our users are complaining of low speed when connected to the VPN. We have done tons of troubleshooting with Cisco TAC and we still haven't found the root of our problem. Some tests we have done: - We have tested changing MTU values - We have tried all combinations of encryption methods (SSL, TLS, IPSec, L2TP) with similar results - We have switched our active/standby boxes - We have tested on our spare 5545x box - We connected our spare box directly to our ISP with another IP address - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our IPS (HP Tipping Point) - We have bypassed our Shaper and our IPS - We made sure that traffic from the routers talking to our ASAs is synchronous, OSPF was configured to load balance but this has been changed by changing the costs on the links to the ASAs - We have verified with our two ISPs that they are not doing any kind of filtering or shaping - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet If you have any ideas on what we could try net, please let me know! - Zachary What OS builds? At one point the code had an 8 packet hard coded window per tcp flow, which capped ssl over tcp window size to about 5mbps depending on RTT. Recent 8 branches raised this to something more reasonable that capped around 20 mbps.DTLS over udp and IPSEC tunnels did not have this issue. -- -James
Re: Cisco AnyConnect speed woes!
Hi Roberto, - We have disabled the DTLS compression feature, this has been verified on the client side that compression says 'None' - We are not using the VPN load balancing feature, the two boxes are running in an active/standby configuration - Yes we are tunnelling all traffic however local lan access is available if the user checks the checkbox in their client - We are inspecting the following: dns preset_dns_map, ftp, h323 h225, h323 ras, rsh, rtsp, esmtp, sqlnet, skinny, sunrpc, xdmcp, sip, netbios, tftp, ip-options, icmp - Jumbo frames are not configured - We are using the following encryption methods: AES128 and 2048 bit certificate - We are running ASA 9.2.2.8 on a 5545X - We are pushing the Anyconnect client version 3.1.05182 Also, I should mention what I mean when we see slow speeds. For example, my internet connection at home is a cable modem with 30mb down, 10mb up. I have done a path mtu discovery to my VPN at work and it is 1500. When I run an iperf to a server at the office without vpn I get about 28mb down, 9.5mb up. When I connect to vpn, the iperf to the same server is about 1.2mb down, and 900k up. This is way too slow! - Zachary On Tue, Dec 9, 2014 at 4:39 PM, Roberto wrote: > > The big issue we are having is that many of our users are complaining of > low speed when connected to the VPN. > Please can you indicate more details ? > > Is it enabled on the ASA the "compression" feature ? > Is it enabled on the ASA the VPN Load Balancing feature ? > Are you using the AnyConnect FULL TUNNEL mode ? > Which are the inspection configured on the ASA for the "remote access" > clients ? > Have you configured the Jumbo MTU on the CISCO ASA interfaces ? > Which encryption are configured on the ASA (are you using Suite B > Algorithms) ? > Which version of ASA are you using ? > Which version of AnyConnect are you using ? > > > Note: > protocols such as L2TP/IPSec are not hardware accelerated -- the IPSec > portion of L2TP/IPSec is hardware-accelerated, but the L2TP portion is not. > Likewise, the SSL portions of SVC and WebVPN use hardware acceleration, > but the application layer protocols are done in software. > > > Best Regards, > > _ > Roberto Taccon > > e-mail: robe...@ipnetworks.it > mobile: +39 340 4751352 > fax: +39 045 4850850 > skype: roberto.taccon > > -Messaggio originale- > Da: NANOG [mailto:nanog-boun...@nanog.org] Per conto di Zachary McGibbon > Inviato: martedì 9 dicembre 2014 21.18 > A: Matthew Huff > Cc: NANOG > Oggetto: Re: Cisco AnyConnect speed woes! > > We are trying to use SSLVPN (udp 443) and results are really all over the > place. Most of our complaints are users connecting on Teksavvy however we > haven't been able to reach anyone in their network team to find out if they > are doing any filtering or shaping on their side. > > We don't have a lot of traffic coming through Cogent, most of the users > are local here in Montreal on either Bell or Videotron and they traverse > through the QIX (www.qix.ca) > > On Tue, Dec 9, 2014 at 3:03 PM, Matthew Huff wrote: > > > Are you using SSLVpn or IPSEC with anyconnect? I have had more luck > > with performance with IPSEC than SSLVpn. > > > > Also, just because your ISP is saying that they aren't > > shaping/filtering, doesn't mean they aren't. > > > > We had major issues with users using AnyConnect when it was > > transversing Cogent. We were getting 5-10% packet loss (although the > > Cisco stats didn't show it), and it was choking on it. > > > > > > Matthew Huff | 1 Manhattanville Rd > > Director of Operations | Purchase, NY 10577 > > OTA Management LLC | Phone: 914-460-4039 > > aim: matthewbhuff| Fax: 914-694-5669 > > > > -Original Message- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Zachary > > McGibbon > > Sent: Tuesday, December 9, 2014 2:42 PM > > To: NANOG > > Subject: Cisco AnyConnect speed woes! > > > > I'm looking for some input on a situation that has been plaguing our > > new AnyConnect VPN setup. Any input would be valuable, we are at a > > loss for what the problem is. > > > > We recently upgraded our VPN from our old Cisco 3000 VPN concentrators > > running PPTP and we are now running a pair of Cisco 5545x ASAs in an > > HA active/standby pair. > > > > The big issue we are having is that many of our users are complaining > > of low speed when connected to the VPN. We have done tons of > > troubleshooting with Cisco TAC and we still haven't found the root of > our problem. >
Re: Cisco AnyConnect speed woes!
We are trying to use SSLVPN (udp 443) and results are really all over the place. Most of our complaints are users connecting on Teksavvy however we haven't been able to reach anyone in their network team to find out if they are doing any filtering or shaping on their side. We don't have a lot of traffic coming through Cogent, most of the users are local here in Montreal on either Bell or Videotron and they traverse through the QIX (www.qix.ca) On Tue, Dec 9, 2014 at 3:03 PM, Matthew Huff wrote: > Are you using SSLVpn or IPSEC with anyconnect? I have had more luck with > performance with IPSEC than SSLVpn. > > Also, just because your ISP is saying that they aren't shaping/filtering, > doesn't mean they aren't. > > We had major issues with users using AnyConnect when it was transversing > Cogent. We were getting 5-10% packet loss (although the Cisco stats didn't > show it), and it was choking on it. > > > Matthew Huff | 1 Manhattanville Rd > Director of Operations | Purchase, NY 10577 > OTA Management LLC | Phone: 914-460-4039 > aim: matthewbhuff| Fax: 914-694-5669 > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Zachary McGibbon > Sent: Tuesday, December 9, 2014 2:42 PM > To: NANOG > Subject: Cisco AnyConnect speed woes! > > I'm looking for some input on a situation that has been plaguing our new > AnyConnect VPN setup. Any input would be valuable, we are at a loss for > what the problem is. > > We recently upgraded our VPN from our old Cisco 3000 VPN concentrators > running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA > active/standby pair. > > The big issue we are having is that many of our users are complaining of > low speed when connected to the VPN. We have done tons of troubleshooting > with Cisco TAC and we still haven't found the root of our problem. > > Some tests we have done: > >- We have tested changing MTU values >- We have tried all combinations of encryption methods (SSL, TLS, IPSec, >L2TP) with similar results >- We have switched our active/standby boxes >- We have tested on our spare 5545x box >- We connected our spare box directly to our ISP with another IP address >- We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our >IPS (HP Tipping Point) >- We have bypassed our Shaper and our IPS >- We made sure that traffic from the routers talking to our ASAs is >synchronous, OSPF was configured to load balance but this has been > changed >by changing the costs on the links to the ASAs >- We have verified with our two ISPs that they are not doing any kind of >filtering or shaping >- We have noticed that in some instances that if a user is on a low >speed connection that their VPN speed gets cut by about 1/3. This > doesn't >seem normal that the VPN would use this much overhead >- We do not have the issue when connecting to VPN directly on our own >network, only connections from the Internet > > If you have any ideas on what we could try net, please let me know! > > - Zachary >
Re: Cisco AnyConnect speed woes!
Have you considered user protocol issues, higher up the stack where your NOC investigation can't see them? If TCP is not tuned, and detects TCP packets are dropping due to congestion, it drops (halves?) its transmit rate until all is well again. At a network operator level, you may have the L1 bandwidth ready and willing to tranport all the bits in sight, but just one poor TCP stack (old FTP? old SMB?) in the TCP roundtrip will throttle bits presented way down. I have on my desk here a badly configured example where poor TCP buffering drops throughput to 5% of expected. Well known issue, for IT folks in enterprises. Wireshark etc will easily let you see how fast user traffic is arriving. Just a thought. Roy *Roy Hirst* | 425-556-5773 | 425-324-0941 cell XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA On 12/9/2014 12:02 PM, Darden, Patrick wrote: MTU should be automatically managed by the AnyConnect client. With that said, have you done PMTUd (e.g. nmap --script path-mtu from one endpoint to the next)? I'd do a network map, working with your upstream provider, to identify and isolate variables. E.g. to find media changes (wrt MTU changes/mismatches). --start with icmp traceroute --next do a udp traceroute --next do a tcp traceroute --each traceroute will give you a slightly different picture, some hops will respond to one but not another --try a vpn connection from Upstream1 first, to see if it happens there. --try a vpn connection from Upstream2 next, to see if it happens there. --try a vpn connection in reverse from Upstream2, then Upstream1, to see if the speed in one direction, via one or another portal, is faster. --continue to isolate networks, network devices, until you can find the point (e.g. advertisement injector) or process (e.g. MTU LCD or asymmetric routing) which is causing this. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Zachary McGibbon Sent: Tuesday, December 09, 2014 1:42 PM To: NANOG Subject: [EXTERNAL]Cisco AnyConnect speed woes! I'm looking for some input on a situation that has been plaguing our new AnyConnect VPN setup. Any input would be valuable, we are at a loss for what the problem is. We recently upgraded our VPN from our old Cisco 3000 VPN concentrators running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA active/standby pair. The big issue we are having is that many of our users are complaining of low speed when connected to the VPN. We have done tons of troubleshooting with Cisco TAC and we still haven't found the root of our problem. Some tests we have done: - We have tested changing MTU values - We have tried all combinations of encryption methods (SSL, TLS, IPSec, L2TP) with similar results - We have switched our active/standby boxes - We have tested on our spare 5545x box - We connected our spare box directly to our ISP with another IP address - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our IPS (HP Tipping Point) - We have bypassed our Shaper and our IPS - We made sure that traffic from the routers talking to our ASAs is synchronous, OSPF was configured to load balance but this has been changed by changing the costs on the links to the ASAs - We have verified with our two ISPs that they are not doing any kind of filtering or shaping - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet If you have any ideas on what we could try net, please let me know! - Zachary The information contained in this e-mail message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please e-mail the sender at the above e-mail address.
RE: Cisco AnyConnect speed woes!
Are you using SSLVpn or IPSEC with anyconnect? I have had more luck with performance with IPSEC than SSLVpn. Also, just because your ISP is saying that they aren't shaping/filtering, doesn't mean they aren't. We had major issues with users using AnyConnect when it was transversing Cogent. We were getting 5-10% packet loss (although the Cisco stats didn't show it), and it was choking on it. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669 -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Zachary McGibbon Sent: Tuesday, December 9, 2014 2:42 PM To: NANOG Subject: Cisco AnyConnect speed woes! I'm looking for some input on a situation that has been plaguing our new AnyConnect VPN setup. Any input would be valuable, we are at a loss for what the problem is. We recently upgraded our VPN from our old Cisco 3000 VPN concentrators running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA active/standby pair. The big issue we are having is that many of our users are complaining of low speed when connected to the VPN. We have done tons of troubleshooting with Cisco TAC and we still haven't found the root of our problem. Some tests we have done: - We have tested changing MTU values - We have tried all combinations of encryption methods (SSL, TLS, IPSec, L2TP) with similar results - We have switched our active/standby boxes - We have tested on our spare 5545x box - We connected our spare box directly to our ISP with another IP address - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our IPS (HP Tipping Point) - We have bypassed our Shaper and our IPS - We made sure that traffic from the routers talking to our ASAs is synchronous, OSPF was configured to load balance but this has been changed by changing the costs on the links to the ASAs - We have verified with our two ISPs that they are not doing any kind of filtering or shaping - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet If you have any ideas on what we could try net, please let me know! - Zachary
RE: Cisco AnyConnect speed woes!
MTU should be automatically managed by the AnyConnect client. With that said, have you done PMTUd (e.g. nmap --script path-mtu from one endpoint to the next)? I'd do a network map, working with your upstream provider, to identify and isolate variables. E.g. to find media changes (wrt MTU changes/mismatches). --start with icmp traceroute --next do a udp traceroute --next do a tcp traceroute --each traceroute will give you a slightly different picture, some hops will respond to one but not another --try a vpn connection from Upstream1 first, to see if it happens there. --try a vpn connection from Upstream2 next, to see if it happens there. --try a vpn connection in reverse from Upstream2, then Upstream1, to see if the speed in one direction, via one or another portal, is faster. --continue to isolate networks, network devices, until you can find the point (e.g. advertisement injector) or process (e.g. MTU LCD or asymmetric routing) which is causing this. --p -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Zachary McGibbon Sent: Tuesday, December 09, 2014 1:42 PM To: NANOG Subject: [EXTERNAL]Cisco AnyConnect speed woes! I'm looking for some input on a situation that has been plaguing our new AnyConnect VPN setup. Any input would be valuable, we are at a loss for what the problem is. We recently upgraded our VPN from our old Cisco 3000 VPN concentrators running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA active/standby pair. The big issue we are having is that many of our users are complaining of low speed when connected to the VPN. We have done tons of troubleshooting with Cisco TAC and we still haven't found the root of our problem. Some tests we have done: - We have tested changing MTU values - We have tried all combinations of encryption methods (SSL, TLS, IPSec, L2TP) with similar results - We have switched our active/standby boxes - We have tested on our spare 5545x box - We connected our spare box directly to our ISP with another IP address - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our IPS (HP Tipping Point) - We have bypassed our Shaper and our IPS - We made sure that traffic from the routers talking to our ASAs is synchronous, OSPF was configured to load balance but this has been changed by changing the costs on the links to the ASAs - We have verified with our two ISPs that they are not doing any kind of filtering or shaping - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet If you have any ideas on what we could try net, please let me know! - Zachary
Cisco AnyConnect speed woes!
I'm looking for some input on a situation that has been plaguing our new AnyConnect VPN setup. Any input would be valuable, we are at a loss for what the problem is. We recently upgraded our VPN from our old Cisco 3000 VPN concentrators running PPTP and we are now running a pair of Cisco 5545x ASAs in an HA active/standby pair. The big issue we are having is that many of our users are complaining of low speed when connected to the VPN. We have done tons of troubleshooting with Cisco TAC and we still haven't found the root of our problem. Some tests we have done: - We have tested changing MTU values - We have tried all combinations of encryption methods (SSL, TLS, IPSec, L2TP) with similar results - We have switched our active/standby boxes - We have tested on our spare 5545x box - We connected our spare box directly to our ISP with another IP address - We have whitelisted our VPN IP on our shaper (Cisco SCE8000) and our IPS (HP Tipping Point) - We have bypassed our Shaper and our IPS - We made sure that traffic from the routers talking to our ASAs is synchronous, OSPF was configured to load balance but this has been changed by changing the costs on the links to the ASAs - We have verified with our two ISPs that they are not doing any kind of filtering or shaping - We have noticed that in some instances that if a user is on a low speed connection that their VPN speed gets cut by about 1/3. This doesn't seem normal that the VPN would use this much overhead - We do not have the issue when connecting to VPN directly on our own network, only connections from the Internet If you have any ideas on what we could try net, please let me know! - Zachary
