Cisco Secure Connect download bandwidth problem

SecureConnctUsr
Comes here often

Cisco Secure Connect download bandwidth problem

Hello,

My company migrated from ‘Cisco Meraki + Umbrella’ to ‘Cisco Secure Connect’ a few weeks ago.

 

Since this upgrade, our download speeds have been catastrophic.

 

For example, when I download the Windows 11 ISO, I can only download at 2Mb/s even though we have a symmetrical 1Gb fibre line.

 

Outlook-utupai5a.png

We have 10 sites made up of MX67, MX85 and MX95 all at version MX18.211.2.

At first I thought it was the IDS that was causing the problem, so I disabled it but nothing has improved.

 

disable_IDS.png

I then checked all the firewall rules but none of them could restrict the bandwidth.

The same goes for the QoS rules

 

traffic shaping rules.png

On the Umbrella side, there's nothing to suggest that the bandwidth per site is very limited.

 

I'm at a loss, so to speak

 

Has anyone encountered this problem before?

 

Thanks in advance for your answers,

 

Best regards,

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using the Umbrella DNS servers?

 

Are you referring to access from Cisco Secure Client, or are you meaning via an MX through AutoVPN to Umbrella?

SecureConnctUsr
Comes here often

Hello,

 

We are using Umbrella as public DNS servers and i am reffering to MX through AutoVPN to Umbrella

 

Sincerly,

mlefebvre
Building a reputation

We don't use SecureConnect for the record, but this is where I would start, in particular check if you are hitting the tunnel performance limit:

 

https://docs.umbrella.com/umbrella-user-guide/docs/limitations-and-range-limits

IPsec Tunnel Performance

250 Mbps download, 80 Mbps upload, and 50,000 combined packets per second.

Based on GCM encryption with 900 byte average package size.

SahandC
Meraki Employee
Meraki Employee

Hi mlefebvre,

 

This is definitely applicable for IPsec tunnels. The AutoVPN tunnels in question are capable of 500 Mbps bi-directional.

 

https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites/Cisco_Secur...

 

We're planning on bringing bandwidth parity between the two VPN headend implementations in the near future, as well as long-term plans for better performance all round.

SahandC
Meraki Employee
Meraki Employee

Hi SecureConnctUsr,

 

You mentioned you moved from Meraki MX + Umbrella to Secure Connect, was that Umbrella DNS or SIG?

 

The QoS rules won't help much after traffic leaves the MX. Once that traffic is forwarded through the AutoVPN tunnel up to Secure Connect, the cloud VPN headend won't make any traffic prioritization decisions based on the DSCP tags configured.

 

To verify this is definitely a symptom of traffic going through Secure Connect, create a test VLAN set to VPN mode off, and run the tests again. If you verify that traffic being passed through Secure Connect is significantly slower, review your policies (specifically Cloud Firewall policies to check the IPS there, and Web policies for SSL decryption).

SecureConnctUsr
Comes here often

Hello SahandC,

 

Thank you for your answer and your time,

 

It was Umbrella SIG,

 

SecureConnctUsr_0-1730276094789.png

I deleted the tunnels in "Cloud on Ramp" before migrating.

 

As our speed problems occurred shortly after the migration, I didn't create any rules in the cloud firewall.

 

SecureConnctUsr_1-1730276323047.png

 

Here's the web Policy i configured

 

SecureConnctUsr_2-1730276477891.png

 

SecureConnctUsr_3-1730276502241.png

 

I can't think of anything that would cause bandwidth problems. Do you have any ideas?

 

I had deactivated IPS to make sure it wasn't the cause of the problem, but nothing has changed since it was deactivated.

 

However, I didn't activate the ‘Umbrella Protection’ section. Could this be the cause?

 

SecureConnctUsr_4-1730276795569.png

 

Sincerly,

SahandC
Meraki Employee
Meraki Employee

Did you migrate to Secure Connect from SIGraki or just a regular Meraki SD-WAN deployment?

SecureConnctUsr
Comes here often

Hello Sahand,

 

We migrated from SIDraki

from_afar
Building a reputation

Are you downloading from Windows or from somewhere on your LAN? If from the web, you can try adding windows download (and other) URL's to your global or specific Whitelist/Allow list. You can also try to bypass Decryption if you have that enabled. Finally, you can avoid Umbrella altogether with those domains/URL's by adding them to the Security & SD-Wan > Threat Protection > Umbrella protection > "Specify one or more domain names below (one per row) to be excluded from being routed to Cisco Umbrella." text area. 

Get notified when there are additional replies to this discussion.