Cisco Anyconnect Client Very SLOW

[gtopnsense]

I have my opnsense updated to newest version 24..., using it more as a nat firewall.
For some reason when I connect my computer to my work Vpn with cisco anyconnect client version 5 installed on the pc my internet on that pc comes to a crawl 8megs a second. The client pc will stay connected all day it's just slow.

When not on vpn internet is 400 megs.
I also connected my computer directly to my internet gateway to by pass opnsense, then connected to cisco vpn and I got much more normal internet speed. What do I need to do so opnsense allows cisco vpn to run a better speed when I am using cisco any connect client on a computer?

This seems to be a newer issue I have been using opnsense for a while as well as cisco and hadnt noticed this till recently.
Thanks in advance

[Seimus]

Cisco Umbrella?
Is your corporate VPN set for split tunneling? (Only Corporate network thru tunnel or as well Internet thru tunnel?)

Also what is you HW you run the OPN on?

Regards,
S.

[gtopnsense]

Intel 3-3220 CPU @ 3.30GHz (2 cores, 4 threads) 8 GB Ram

I dont see umbrella on this version of cisco I did see it on our old version 4. Perhaps it runs somewhere hidden in the background on 5. not sure.

Thanks

[Seimus]

Anyconnect 4.X doesn't support fully Umbrella. This is due to the fact CISCO Umbrella is running on DTLS, which is supported on their newer client apps.

I am asking because of the above DTLS.

Cisco Umbrella is using TLS to establish the tunnel and DTLS for transport. And I know for a fact till I didn't allow DTLS (UDP 443), even if VPN established the performance was abysmal, huge latency issues etc. over the Tunnel.

Not sure what are your rules, but if you by any chance block UDP 443 try to allow it.

Another point as asked is if your corporate VPN has split tunneling or not.

Regards,
S.

[gtopnsense]

I don't believe I have blocked 443 udp but I will verify.
As for split tunnel no we can't access any networks outside our
Corporate network.

[gtopnsense]

I tried to open udp port 443 for cisco and speed never improved. I tried nat rules inbound and outbound. set a rule on my lan for outgoing no real change.
I dont know if I have missed something or doing something wrong.
I am using squid proxy as well but I have white listed the vpn domain when I first set up opnsense a few years ago. I even set my laptop that uses vpn to have unrestricted access effectively bypassing the proxy.
Never an issue with cisco until recently.

[mellow65]

While I'm not happy you're having VPN issues, I'm happy I'm not alone with anyconnect and opnsense not playing with each other.  I'm going to try opening up port 443 and see what happens.  While my speeds aren't the best, I would like the stability back.  Just out of the blue i lose connection to my emails and anything on our work network, but I can still ping google and other things, so it doesn't completely die. 

And now that I think of it, it all started when I moved from PFsense to opnsense.  I just blamed my works VPN first, lol.

[Taunt9930]

FWIW I have no issues using AnyConnect. As far as I remember, I did nothing special either.

[gtopnsense]

FWIW I have no issues using AnyConnect. As far as I remember, I did nothing special either.

For Any Connect version 5? that is one I am having issues with, didnt have any until recently when they upgraded us to 5.

[gtopnsense]

While I'm not happy you're having VPN issues, I'm happy I'm not alone with anyconnect and opnsense not playing with each other.  I'm going to try opening up port 443 and see what happens.  While my speeds aren't the best, I would like the stability back.  Just out of the blue i lose connection to my emails and anything on our work network, but I can still ping google and other things, so it doesn't completely die. 

And now that I think of it, it all started when I moved from PFsense to opnsense.  I just blamed my works VPN first, lol.

Let me know how that goes and steps to remedy it if you are able to do that.
Thanks

[mellow65]

Let me know how that goes and steps to remedy it if you are able to do that.
Thanks

Well this morning was extra strength slow and already dropping connection not 20 mins into to working. 

I opened up 443, that didn't do anything
I am currently on version 4.something

I've now bypassed my router and gone straight to my modem and things seem to have gone back to normal.  Later today after some meetings I'm going to put my old pfsense router inline of my modem and work computer and see how that works out. 

I guess i should have connected the dots that all my cisco connect issues started when i swapped to opnsense

[schmuessla]

I tried to open udp port 443 for cisco and speed never improved. I tried nat rules inbound and outbound. set a rule on my lan for outgoing no real change.
I dont know if I have missed something or doing something wrong.
I am using squid proxy as well but I have white listed the vpn domain when I first set up opnsense a few years ago. I even set my laptop that uses vpn to have unrestricted access effectively bypassing the proxy.
Never an issue with cisco until recently.

Do a packet capture and check if the session is established via DTLS. Likely it's not.

[mellow65]

Let me know how that goes and steps to remedy it if you are able to do that.
Thanks

Here's a very weird update, I'm assuming you have been connecting your work computer via an ethernet cable, have you tried moving it to wifi? 

I went round and round with my works IT group with no real luck.  I ended up switching to VM desktop so I could at least get some work done, that came with it's own limitations, but I circled back around to my work computer again, and played around with some connections, and I find that connecting to wifi so far seems to have addressed my issues.  I have no idea why anyconnect would treat a wifi connection different than an ethernet cable, but just something to think about.

This is going back through OPNsense via the same VLAN my work computer has always been on.  So the only difference is the connection type to the network .

[lilsense]

I have my opnsense updated to newest version 24..., using it more as a nat firewall.
For some reason when I connect my computer to my work Vpn with cisco anyconnect client version 5 installed on the pc my internet on that pc comes to a crawl 8megs a second. The client pc will stay connected all day it's just slow.

When not on vpn internet is 400 megs.
I also connected my computer directly to my internet gateway to by pass opnsense, then connected to cisco vpn and I got much more normal internet speed. What do I need to do so opnsense allows cisco vpn to run a better speed when I am using cisco any connect client on a computer?

This seems to be a newer issue I have been using opnsense for a while as well as cisco and hadnt noticed this till recently.
Thanks in advance

1st of all there's no such thing as Anyconnect 5. Cisco Secure Client 5 works fine here. I have been running AC 4 and SC 5 both without an issue.

You may have the IDP/IDS/Zenarmour active plus other things that may affect your system. But ot be honest ports have nothing todo with this as you either is connected or not.

It may also be the at the other end. You IT may be using an under powered Cisco ASA, which is highly likely.

[Taunt9930]

FWIW I have no issues using AnyConnect. As far as I remember, I did nothing special either.

For Any Connect version 5? that is one I am having issues with, didnt have any until recently when they upgraded us to 5.

Sorry didn't see this. Yes - Secure Client UI 5.1.0.1047 / AnyConnect VPN 5.1.2.42