Meraki

Community

Meraki VPN vs AnyConnect

RANT
Comes here often
‎Jun 7 2024 9:31 AM
‎Jun 7 2024 9:31 AM

Meraki VPN vs AnyConnect

Background: recently upgraded MX100 firewall pair with MX105s. The firewall are set inline between my internet firewalls (cisco ASAs, which also act as AnyConnect VPN termination points) and core switches, setup as passthrough VPN concentrators. Intrusion Prevention is enabled, AMP is enabled, so they are analyzing all internet incoming/outbound traffic. Remote users are utilizing MX67 firewalls. Some of the users have gigabit internet (AT&T fiber, Google fiber).

 

Observations: The MX100s (during peak traffic times) would appear to be bottlenecked due to high CPU utilization (80-100%), causing significant slowness in remote user traffic. The CPU utilization on the MX105s doesn't even get to 20% yet my users still complain of significantly reduced performance compared to using AnyConnect. I have personally seen this from a specific user, in which image download times on AnyConnect are 50% of times when using Meraki VPN.

 

Setup: The MX105s default route is set to the internet firewalls, so what I think is happening is that incoming remote user traffic (encrypted) comes in through the internet firewalls, hit the MX105, is decrypted, then routed to the internet firewall, which then bounces the traffic back to the core routers, and then on to the data center servers. This seems pretty inefficient.

 

I would think that these newer firewalls would process the data better/faster, and that much of the slowdowns experienced before should go away, but it doesn't appear to be that way. Any ideas?

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 7 2024 9:36 AM
‎Jun 7 2024 9:36 AM

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Jun 8 2024 1:09 AM
‎Jun 8 2024 1:09 AM

That is the expected behavior of MX'es setup as VPN concentrators.  They can only receive encrypted traffic on their WAN port and decrypt it and send it back upstream on the same port.

If you want to use them as VPN concentrators it would be smarter to put these MX'es behind the core switches so their default gateway is the core which is many times faster and more efficient.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 8 2024 7:25 PM
‎Jun 8 2024 7:25 PM

>then routed to the internet firewall

 

It may be the routing performance for your ASAs is not so great.

 

I assume when you say "Meraki VPN" you are talking about AnyConnect to the MX105s?

 

On your ASA, are you allowing both TCP and UDP 443 to the MX105s (or whatever port you are using for AnyConnect)?

0 Kudos
RANT
Comes here often
‎Jun 10 2024 5:46 AM
‎Jun 10 2024 5:46 AM

So I forgot some details. It isn't setup in the one armed config on the WAN port. The WAN port is connected to the core switch, and port 3 is connected to the "Inside" interface on the ASA.

Also for @PhilipDAth no, we're not doing AnyConnect to the Merakis. AnyConnect is terminating at the ASAs facing the internet.

0 Kudos
In response to RANT
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 10 2024 1:18 PM
‎Jun 10 2024 1:18 PM

It is not really a fair comparison.  Why don't you change over to using AnyConnect on the MX, so it is a "like for like" performance comparison?

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance

 

You could even look at using SAML based authentication against Office 365 (so you get automatic MFA):
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SA...

 

0 Kudos
pdeleuw
Getting noticed
‎Jun 11 2024 12:39 AM
‎Jun 11 2024 12:39 AM

"Meraki VPN" ist based on IPsec and L2TP. L2TP has additional overhead. Maybe you have a fragmentation problem? Check the MTU setting on client side. For Auto VPN the MX does Path MTU Discovery. I do not know if this is true for Client VPN, too. It is not possible setting the MTU on the MX manually. You have to contact the support for doing that.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.