Cisco AnyConnect VPN Access Remains Seamless With NS1 Traffic Steering

Recent events have compelled organizations of all sizes and across industries to adopt new approaches that keep employees safe at home while ensuring productivity and security. According to a report by Willis Towers Watson, nearly half (46 percent) of organizations are implementing work from home policies because of the COVID-19 pandemic. As a result, companies are relying on virtual private networks (VPNs), which establish encrypted connections to enterprise applications over the public internet, to connect workforces.

This is where Cisco AnyConnect provides value. It enables users to work from anywhere at any time. AnyConnect simplifies secure endpoint access, while offering network administrators a holistic view of user and device behavior and enhanced threat protection for increased security.

Also with so many more new corporate VPN users, it is even more important that employees’ have a good experience with company technology when working from home. If employees can’t connect or get kicked off the VPN because traffic is higher than normal, there is a great potential for disengagement and loss of productivity. There are important steps companies can take to address these challenges so that connecting to company networks doesn’t leave employees frustrated during a time when tensions are already high.

NS1 has partnered with Cisco AnyConnect to improve the experience for remote employees by intelligently and dynamically steering traffic to the optimal VPN access sites.

Why Add Traffic Steering?

While increasing the number of VPN servers will help to ensure a company has the capacity to accommodate more employees working remotely, there may still be issues with performance or availability if all the users log into the same VPN server. To accommodate this increased demand, organizations can optimize VPN server use by using traffic steering.

Without traffic steering, when an employee uses the remote access software they access the VPN site based on location or a basic round-robin load balancing scheme, or worse yet has the employee make the selection. This is particularly problematic because the decision logic doesn’t account for the latency and congestion created by a large number of other users trying to access the same network from the same general area.

Often there are too many people trying to connect to a single VPN site. When the site hits the maximum number of VPN connections, users get the equivalent of a busy signal. They can’t connect until other employees disconnect. Other times employees can connect but if the platform is approaching the maximum VPN throughput it can handle, the connection is so slow that their applications aren’t really usable.

These challenges are overcome when NS1 VPN Traffic Steering and Cisco Any Connect are deployed together. As people login with AnyConnect, NS1 steers them to the nearest, healthy Cisco VPN site with the most capacity. As a result, organizations can:

• Improve availability by making intelligent routing decisions based on the actual load at VPN sites
• Boost performance by steering users to the lowest latency VPN site
• Optimize use of VPN capacity to manage costs

Monitor to Adapt as Needed

Continuous monitoring is a crucial step to making sure your VPN connections remain accessible and performant for employees. NS1’s integrated monitoring can test infrastructure health and remove failed VPN sites from steering decisions automatically. AnyConnect users are steered around infrastructure or capacity problems which increases remote access availability.

Prevent issues with load shedding

Since VPN sites have hard limits on how many connections they can handle, having an automated way to gradually reduce, and ultimately stop, connections to overloaded ASA sites is particularly important for preventing overloads and performance brownouts. We do this by adjusting the site a user is sent to based on the number of active connections and configuring thresholds to take action.

For example, setting a threshold at 85% tells our system to start reducing the number of new connections when a particular VPN site reaches that capacity and steers the extra requests to alternative sites. As the number of connections at a particular site creeps up toward 100%, more and more connection requests are sent to other locations (see chart below). This way the number of connections at that VPN site increases at slower and slower rates, and therefore it is less likely to be overwhelmed and impact AnyConnect users’ experience. Conversely, when the number of connections slide back down, less and less traffic will be sent to other locations.

Optimize capacity utilization to minimize cost

Intelligent traffic routing also helps minimize cost of scaling up to support increasing demand. Rather than simply adding capacity individually at each VPN site as limits are reached, NS1 automatically balances incoming connections across the entire available capacity across multiple sites. As a result, organizations get the most of their existing investments without sacrificing AnyConnect user experience.

Conclusion

By adding traffic steering across AnyConnect VPN sites and consistently monitoring performance, employers can deliver the same seamless network and technology experiences that employees expect from an office setting. In a time of uncertainty and worry, this can help reduce the stress of working remotely while also creating a resilient network. We're happy to help you take advantage of traffic steering capabilities in your stack, or just lend our expertise - whatever we can do to help as we all navigate change together. Reach out any time.