VPN Scaling Under Load: Tuning Cisco AnyConnect Remote Access
Scaling Remote Access VPN connections for 3,000+ remote workers. Resolving DTLS fallback issues and split-tunneling bottlenecks.
“When remote user connections doubled overnight, the VPN gateway CPU pegged at 99%. The culprit wasn’t bandwidth—it was TLS encapsulation overhead.”
At Wipro, scaling Remote Access VPN capacity on Cisco ASA firewalls required optimizing how AnyConnect handles encryption protocols.
TLS vs. DTLS Acceleration
By default, AnyConnect attempts to negotiate Datagram Transport Layer Security (DTLS) over UDP port 443.
If UDP 443 is blocked or degraded by transit ISPs, AnyConnect falls back to standard TLS over TCP port 443.
- TLS TCP Encapsulation: Tunneling TCP traffic inside a TCP VPN tunnel causes TCP Meltdown, where lost packets trigger double retransmission timers.
- DTLS UDP Acceleration: Tunneling packets over UDP eliminates TCP meltdown and reduces CPU load on the ASA firewall by 40%.
[!IMPORTANT] Always ensure UDP port 443 is open across perimeter firewalls to allow AnyConnect clients to establish high-performance DTLS connections.
# # Cisco ASA Enable DTLS Acceleration
webvpn
enable outside
anyconnect-essentials
anyconnect enable
webvpn
port 443
dtls port 443
The Verdict
Key Takeaway
Use UDP-Based Protocols for Encapsulated VPN Tunnels.
Avoid TCP-over-TCP tunnel degradation. Enabling DTLS reduces gateway CPU utilization and delivers a fast, low-latency remote access experience.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.