Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
10
Helpful
5
Replies

Reduce CPU usage for AnyConnect during online all-employee meeting

DaveNoonan26775
Level 1
Level 1

‎02-10-2023 11:33 AM

We have an ASA, actually an FPR-2120 running ASA code 9.14(2)4, terminating AnyConnect VPN.  During an online all-hands meeting this device has previously gone to 90+%  CPU and stayed there for the duration of the meeting which made it unusable for call center folks who were still working during the meeting.

I expect the first suggestion to be split-tunneling and we do have that in place for the meeting provider. However, it was in place during the last meeting (minus two subnets) and the CPU still maxed out. I find it doubtful that we happened to have a LOT of traffic on those two subnets.

Bigger firewalls are on order but not due till after the next meeting so I'm looking for any other options that might be available as a stop gap.

Thank you

 

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎02-10-2023 12:25 PM

@DaveNoonan26775 split tunneling was going to be my first suggestion.

Is the FPR2120 doing other services that could be consuming the CPU? Or is this a dedicated VPN concentrator?

The other suggestion is check the tunnel protocol which use lower overhead - DTLS 1.2.

Have you seen this AnyConnect performance guide? https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215331-anyconnect-implementation-and-performanc.html

 

DaveNoonan26775
Level 1
Level 1

‎02-10-2023 01:29 PM

It's a dedicated AnyConnect box. 

I'll check the link and the protocol, Thanks for those suggestions.

 

0 Helpful

DaveNoonan26775
Level 1
Level 1

‎02-10-2023 01:31 PM

Related question, the firewall is an HA pair so how much effort would be involved in moving it to active/active for VPN?

I haven't made that change before and it just occurred to me so I'm off to the search engines but thought someone else might have experience with it.

0 Helpful

Rob Ingram
VIP
VIP
In response to DaveNoonan26775

‎02-10-2023 01:45 PM

@DaveNoonan26775 in that case consider reconfiguring the 2 ASAs using VPN load balancer. That will distribute the load evenly over the 2 devices.

https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/

 

DaveNoonan26775
Level 1
Level 1

‎02-10-2023 01:48 PM

I was just on that site reading their active/active article and I had also bumped into VPN load-balancing which I'd forgotten about.  The joys of being a geek-of-all-trades, you do things and then forget how you did them or that you did them at all.  I've learned to make notes.

Thank you, Rob.  I think vpn load-balancing is going to my answer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card