[c-nsp] ASA SSL TLS Tunnel Window Sizes

James Michael Keller jmkeller at houseofzen.org
Sun Nov 1 16:24:10 EST 2009


All,

We had been having some SSL VPN (TLS transport) performance issues on 
ASA units dedicated to just VPN access.    The issue is we're maxing out 
at 5Mbps on a tunneled connection, but our legacy SSL VPN solution is 
close to wire speed with the tunnel overhead taken into consideration 
for the same traffic.

I noticed from captures that the ASAs are starting with an initial tcp 
window of 8192 and never exceeds that, but will reduce that after packet 
loss and then come back up to 8192 after the congestion avoidance 
period.   The legacy SSL appliance starts at 5840 but after slow start 
period ramps up and stabilizes at 44448.   

 From external test connections with about 12ms RTT the 8192 value 
should get us 5.4Mbps in theory, and matches real tests at just under 
5Mbps for the tunneled traffic.

I couldn't find anything for adjusting max/initial or otherwise window 
size for the WebVPN/SVC process themselves, just for passed traffic 
inspection to drop/clear/allow window size related packets during 
inspection.

Thanks in advance for any pointers.

-James


More information about the cisco-nsp mailing list