← Back to Engineering Blog
🗓️ Aug 12, 2017 ⏱️ 1 min read

VPN Scaling Under Load: Tuning Cisco AnyConnect Remote Access

Scaling Remote Access VPN connections for 3,000+ remote workers. Resolving DTLS fallback issues and split-tunneling bottlenecks.

🎙️ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

“When remote user connections doubled overnight, the VPN gateway CPU pegged at 99%. The culprit wasn’t bandwidth—it was TLS encapsulation overhead.”

At Wipro, scaling Remote Access VPN capacity on Cisco ASA firewalls required optimizing how AnyConnect handles encryption protocols.


TLS vs. DTLS Acceleration

By default, AnyConnect attempts to negotiate Datagram Transport Layer Security (DTLS) over UDP port 443.

If UDP 443 is blocked or degraded by transit ISPs, AnyConnect falls back to standard TLS over TCP port 443.

  • TLS TCP Encapsulation: Tunneling TCP traffic inside a TCP VPN tunnel causes TCP Meltdown, where lost packets trigger double retransmission timers.
  • DTLS UDP Acceleration: Tunneling packets over UDP eliminates TCP meltdown and reduces CPU load on the ASA firewall by 40%.

[!IMPORTANT] Always ensure UDP port 443 is open across perimeter firewalls to allow AnyConnect clients to establish high-performance DTLS connections.

# # Cisco ASA Enable DTLS Acceleration
webvpn
 enable outside
 anyconnect-essentials
 anyconnect enable
 webvpn
  port 443
  dtls port 443

The Verdict

Key Takeaway

Use UDP-Based Protocols for Encapsulated VPN Tunnels.

Avoid TCP-over-TCP tunnel degradation. Enabling DTLS reduces gateway CPU utilization and delivers a fast, low-latency remote access experience.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.