Optimising VPN Performance for Distributed Teams in the UK: Tuning AnyConnect

VPN performance problems are rarely caused by one single bottleneck. In most UK distributed teams, slow logins, application lag, intermittent disconnects, and failed file transfers are the result of several small issues stacking together: poor bandwidth planning, path MTU mismatch, overly broad tunnelling policies, and weak visibility into client-side behaviour. If you're running secure remote access UK infrastructure for employees, contractors, or third-party support staff, the good news is that most performance gains are practical and measurable. You do not need to redesign your whole network to get major improvements; you need a disciplined approach to vpn performance tuning, plus a repeatable way to test every change.

This guide is a practical playbook for improving anyconnect vpn uk performance across distributed users. We’ll cover planning for bandwidth and concurrency, fixing MTU and fragmentation issues, deciding what should and should not traverse the tunnel, and measuring the impact using actionable metrics. If you are comparing architecture options, it also helps to frame the problem within your wider remote-access strategy, including business vpn uk procurement, managed vpn services uk support, and even longer-term design choices such as vpn deployment guide patterns that avoid vendor lock-in and reduce operational risk.

Throughout the article, we’ll also connect performance tuning to real-world troubleshooting workflows. That means thinking beyond the endpoint and into routing, DNS, application latency, and user journey breakpoints. For practical adjacent reading, see our broader guidance on vpn client troubleshooting, ssl vpn configuration, and the network design questions that often come up when teams grow into site-to-site vpn setup scenarios. The goal is not just to make the tunnel “work”; it is to make it fast enough, stable enough, and observable enough that remote access becomes boring in the best possible way.

1. Start with the performance model: what actually slows VPN users down

Latency, jitter, packet loss, and throughput are different problems

Many teams describe VPN performance as “slow,” but that label hides several distinct failure modes. High latency makes interactive sessions feel sticky, especially for VDI, RDP, SaaS admin portals, and source-control workflows. Jitter causes voice and real-time collaboration issues, while packet loss creates retransmissions that can crush throughput even when the bandwidth looks healthy on paper. A good tuning process begins by identifying which symptom dominates, because the fix for a high-latency connection is usually not the same as the fix for a fragmentation-heavy path or a congested concentrator.

For example, a developer in Manchester working from home may have 250 Mbps broadband, but if the VPN routes every SaaS request back to a London headend and then out to Microsoft 365, the session still feels sluggish. Likewise, an IT admin in Bristol may be fine browsing internal tools but experiences failed uploads to a file share because a PMTUD break in the ISP path causes hidden fragmentation and retransmission. In other words, “fast internet” at the office or at home does not guarantee fast VPN; you have to analyse the entire path between client, tunnel, and destination. This is why performance tuning should be treated as a system problem, not just a client setting.

Pro tip: If a user reports “VPN is slow,” ask three questions first: Is the issue all traffic or only internal apps? Is it constant or only at certain times? Does it affect one device, one site, or everyone? Those answers usually cut troubleshooting time dramatically.

Why distributed teams feel VPN problems more acutely

UK distributed teams often sit across consumer ISPs, mobile hotspots, co-working spaces, and home routers with very different buffering and routing characteristics. That diversity makes performance tuning harder, but it also means small gains scale across a much larger portion of the user base. Teams that work across time zones may also see traffic spikes at the start of the working day, when authentication, sync, and file-opening bursts all happen together. If your remote access stack is dimensioned only for “average” use, you can get bottlenecks even when the headline utilisation numbers look acceptable.

This is where a vendor-neutral planning mindset pays off. Review your remote access assumptions in the same way you would a software performance budget: define user classes, identify critical workflows, and measure peak concurrency rather than just daily averages. Our general strategy guide on long-term business stability is useful here, because network resilience is partly a financial decision too. Teams that plan properly can often avoid emergency upgrades, reduce helpdesk tickets, and improve user satisfaction at the same time.

What “good enough” performance looks like

Not every remote-access scenario needs ultra-low latency. For many UK SMBs, a sensible benchmark is that basic admin tools should feel close to native, office apps should launch quickly, and large file transfer performance should be predictable rather than necessarily “fast.” The right target depends on your use case: a finance team operating over UK GDPR-sensitive systems has different priorities from a software team pulling repositories or a field service team accessing internal dashboards. The trick is to define acceptable user experience thresholds before you start changing configuration.

As a rule, you should expect better performance from SSL VPN configuration when the tunnel is tuned carefully, split traffic is implemented sensibly, and authentication overhead is minimised. If the tunnel is doing too much, or if it is asked to carry traffic that should stay local, every other optimisation becomes less effective. Performance is cumulative: authentication, routing, encryption, encapsulation, and endpoint health all contribute to perceived speed.

2. Build a bandwidth and concurrency plan before changing settings

Estimate concurrent users, not just licensed users

One of the most common mistakes in VPN planning is sizing for headcount rather than concurrency. If you have 180 employees but only 60 are simultaneously active on the remote-access platform at peak times, your sizing model must reflect that real pattern. AnyConnect deployments often support a mix of always-on users, occasional contractors, and support staff who connect in bursts. Without a concurrency model, admins can overbuy concentrator capacity in one area while underestimating authentication, DNS, or egress bottlenecks elsewhere.

Start by segmenting users into groups: heavy users, light users, privileged admins, and contractors. Then assign each group typical activities such as IDE sync, RDP, web app access, or large file movement. This mirrors the practical thinking used in other planning disciplines like when to use a temp download service vs cloud storage, where the choice depends on usage patterns rather than abstract “best practice.” For VPN, the same principle applies: capacity decisions must be grounded in actual behaviour.

Separate control-plane load from data-plane load

Authentication and tunnel establishment create spikes that can mislead capacity planning if you only watch average throughput. On Monday mornings, users may log in within a tight time window, while during the rest of the day the tunnel is comparatively quiet. If your identity provider, MFA service, or certificate validation path is slow, users may blame the VPN even when the bottleneck is elsewhere. Make sure to measure login success rates, authentication latency, and tunnel establishment times separately from steady-state throughput.

A practical approach is to create a simple spreadsheet with four columns: user class, peak concurrent count, expected throughput per user, and criticality. From there, you can estimate total load and then apply a safety margin for burst traffic and retransmission overhead. If your organisation is growing, use the same analytical discipline that teams apply in broader planning contexts such as how tech startups should read labour signals: avoid guessing, and build a decision model from observable data. In VPN environments, guesswork usually becomes a helpdesk ticket later.

Watch the hidden impact of “chatty” applications

Bandwidth planning should account not only for file size but also for round-trip intensity. A “lightweight” app that sends dozens of small requests per page load can perform worse over VPN than a larger but more efficient application. Database management tools, DevOps consoles, and internal line-of-business apps often generate many sequential requests, making them sensitive to latency. That is why improving performance sometimes means reducing what crosses the tunnel, not simply adding capacity.

Once you understand app chatter, you can prioritise which traffic deserves the VPN and which traffic should go direct to the internet. This is especially important for SaaS-heavy environments where routing every browser session through the headend adds unnecessary delay. For a deeper operational mindset, our article on data-driven content calendars offers a useful analogy: the best results come from choosing the right signals and suppressing the noise. VPN tuning follows the same logic.

3. Fix MTU, MSS, and fragmentation before chasing exotic optimisations

Why MTU problems show up as random slowness

Path MTU issues are a classic cause of VPN weirdness because they do not always fail consistently. Users may open some websites normally, but encounter broken uploads, slow file sync, or stalled sessions when a packet larger than the path allows is dropped and never acknowledged properly. With AnyConnect and similar SSL VPNs, encapsulation overhead reduces the effective payload size, which means the “normal” LAN MTU often becomes too large once traffic enters the tunnel. If the path also includes ISP quirks, PPPoE overhead, or asymmetric routing, the problem becomes even harder to spot.

In practical terms, if you see users reporting that only certain applications fail or that large transfers hang partway through, suspect MTU before you suspect encryption overhead. The difference matters because MTU errors are fixable with targeted configuration changes, while capacity issues require broader architectural changes. This is also why teams should avoid vague troubleshooting labels like “the VPN is flaky” and instead log the exact symptom, application, and packet size behaviour. Precision is what turns a random complaint into a solvable engineering problem.

How to test for fragmentation the right way

Start by running controlled pings with the “do not fragment” flag from a client that exhibits the issue, then reduce packet size until you find the largest stable payload. Test both directions if possible, because some paths are asymmetric and may behave differently for uploads versus downloads. If the VPN supports it, verify the effective tunnel MTU from the client side and compare it against your gateway and transit assumptions. You do not need advanced tooling to catch most issues, just a disciplined method and a willingness to test more than one user path.

When you discover a lower-than-expected MTU, consider setting a conservative tunnel MTU and MSS clamping strategy rather than pushing the limit. A small performance trade-off is often worth the operational stability gained. This approach is similar to choosing a more stable delivery method in how bike delivery and assembly works when you buy online in the UK: the optimal choice is not the one that looks fastest in theory, but the one that reliably arrives intact. In VPN terms, consistent packet delivery usually beats theoretical maximum throughput.

Practical tuning recommendations for AnyConnect

For AnyConnect deployments, validate whether your headend, profile settings, and firewall path are applying compatible MTU/MSS values. Many teams achieve better stability by standardising a slightly reduced tunnel MTU and then testing against the most common endpoint types: Windows laptops on home broadband, macOS devices on hotel Wi-Fi, and mobile clients on tethered connections. If you have a mixed device estate, test the weakest path, not the best one. A setting that works beautifully for fibre at home may fail on a café network with extra encapsulation overhead.

If you use an external monitoring or managed support layer, make sure MTU testing is part of standard change validation. Too often, teams roll out a “performance fix” that actually increases fragmentation for some users. For a bigger-picture view on risk-managed deployment and controlled rollouts, see designing procurement systems to survive shocks, which makes a similar point about resilience: good systems tolerate variability instead of assuming ideal conditions.

4. Use split tunnelling strategically, not emotionally

Split tunnel is a design choice, not a shortcut

Split tunnelling gets debated as though it were a moral issue, but it is really a traffic-engineering decision. If every destination is forced through the VPN, you increase load on the headend and add latency to traffic that may not need to traverse your internal network at all. If you split too aggressively, however, you may weaken visibility, complicate security policy, and create inconsistent application behaviour. The right answer is usually a policy-based split-tunnel design that keeps sensitive internal resources protected while allowing trusted SaaS and consumer internet traffic to go direct.

For UK teams, this question is especially important because many organisations already use cloud services extensively. Routing Microsoft 365, payroll SaaS, collaboration tools, and software updates through the corporate tunnel can generate needless congestion and user complaints. A thoughtful split-tunnel policy reduces load and improves the perceived responsiveness of essential internal systems. It also helps you reserve VPN capacity for the traffic that actually needs to be protected.

What to keep in the tunnel and what to send direct

As a rule, keep access to internal file shares, admin consoles, private APIs, legacy apps, and internal DNS inside the tunnel. Send well-understood SaaS traffic, software updates, and public web browsing direct unless you have a specific compliance or inspection requirement that says otherwise. If your team supports developers, be especially careful not to tunnel large package downloads and dependency updates unnecessarily, because they can be surprisingly bandwidth-intensive. The result of poor policy design is that every engineer’s `npm install` or container pull becomes a VPN stress test.

That said, split tunnelling should never become a blanket excuse to reduce security controls. If you need stronger identity assurance, MFA, or conditional access, tune those controls alongside network policy rather than instead of it. A useful mindset comes from our article on translating policy into engineering governance: rules work when they are both explicit and operationally realistic. VPN policy is no different.

Measure the before-and-after impact

Before changing split-tunnel rules, capture baseline metrics for tunnel bandwidth, page-load performance, login time, and complaint volume. After the change, verify that the traffic you intended to bypass the tunnel actually does so, and that the remaining in-tunnel flows are faster or at least more stable. It is common to see a big improvement in average user experience without a major change in raw tunnel throughput because the system is now carrying a better mix of traffic. In other words, a smarter traffic profile can outperform a larger pipe.

Where possible, roll out split-tunnel changes to a pilot group first. That lets you spot application dependencies that were hidden by the previous full-tunnel design. If you need to prepare stakeholders for policy changes, our guide on communicating changes to longtime traditions offers a surprisingly relevant lesson: users accept change more readily when you explain the reason, the trade-off, and the support path.

5. Tune DNS, authentication, and connection establishment

Fast tunnels can still feel slow if login is sluggish

Sometimes the VPN path itself is fine, but users perceive slowness because tunnel setup takes too long. This can be caused by slow certificate checks, overloaded authentication services, DNS delays, or MFA prompts that are not optimised for the user journey. A login delay of just a few seconds can feel like a major outage when it happens every day. For distributed teams, especially those logging in during tight morning windows, that frustration can become a productivity sink.

Review the full connection chain: device posture checks, certificate validation, identity provider response time, MFA push delivery, tunnel negotiation, and DNS resolution after connect. If one piece is slower than the others, the whole experience suffers. This is why many teams benefit from consolidating identity systems, reducing unnecessary conditional-access branching, and ensuring DNS servers reachable over the tunnel are responsive. If you are planning a broader rollout, our vpn deployment guide provides a helpful framework for sequencing these dependencies.

DNS design can make or break remote access

DNS is one of the most underestimated performance factors in remote access. Users often blame the VPN when the real issue is that internal hostnames resolve slowly, or that the client is trying to query DNS servers with high latency or poor reachability. If internal apps rely on split DNS, verify that the correct suffixes are being handed out and that search order is not causing duplicate lookups. Misconfigured DNS can make a healthy tunnel feel broken.

In practice, you should test DNS resolution time from both connected and disconnected states, and compare internal versus external name resolution. Ensure that only truly internal names are sent to corporate DNS and that public names are resolved efficiently. If your environment includes legacy internal domains, stale records, or multiple subnets, document the lookup path carefully. These are the kinds of details that often separate a “works for me” setup from a supportable enterprise deployment.

MFA and conditional access should be streamlined, not weakened

You should not reduce authentication security just to shave off one or two seconds. Instead, optimise the user journey by choosing MFA methods that are fast and dependable, ensuring tokens and push systems are healthy, and avoiding redundant prompts where policy allows. For privileged users, consider whether session duration, device trust, and step-up authentication can be tuned without sacrificing control. Good security design removes friction where it is unnecessary and preserves it where risk is higher.

If your organisation is evaluating service providers that bundle authentication, policy, and connectivity, compare them on usability as well as control coverage. Our article on managed vpn services uk helps frame that procurement discussion. Meanwhile, if you need to understand how network policy aligns with larger business governance, the perspective in navigating economic trends is a useful reminder that operational efficiency is a strategic asset.

6. Monitor the right metrics so tuning becomes repeatable

Focus on user-experience metrics, not just device health

Admin dashboards often overemphasise uptime and CPU utilisation while underreporting the metrics that users actually feel. For VPN performance tuning, the most useful measurements are tunnel establishment time, reconnect success rate, average and p95 throughput, packet loss, retransmissions, latency to key internal services, and DNS response time. If you can, segment these metrics by geography, device type, ISP, and authentication method. The same VPN can behave very differently in London, Glasgow, and a rural home-office connection in Wales.

It also helps to track user-impact indicators such as helpdesk tickets, average resolution time, and the number of repeat incidents per endpoint. A performance project is only successful if it reduces friction at scale. If your users complain less, reconnect less often, and transfer files more reliably, you are moving in the right direction. The aim is not a perfect lab result; it is a materially better working day for distributed staff.

Build a simple tuning dashboard

A practical dashboard should show baseline trends and alert on anomalies, not just collect logs for later. Include a weekly view of tunnel login duration, active sessions, bandwidth peaks, packet loss, and top error codes. Add breakdowns by user group so you can see, for example, whether contractors suffer more than staff or whether one ISP consistently underperforms. If you have multiple concentrators or gateways, compare them directly to detect uneven load balancing.

One useful approach is to correlate VPN metrics with application metrics. If internal app latency rises only when tunnel retransmissions rise, the network is the likely culprit. If application latency rises while tunnel metrics remain stable, the issue may be upstream in the app tier or the DNS layer. This kind of correlation-based troubleshooting is far more effective than reading isolated alarms in separate consoles. For teams building a more data-led operating model, the methods in spot strengths and gaps provide a nice analogy: you want a full picture, not one noisy dimension.

Use controlled experiments for every change

Whenever possible, change one variable at a time. For example, adjust MTU first, validate, then split tunnelling, then DNS, then authentication optimisations. If you change multiple items at once and performance improves, you will not know which fix delivered the benefit. If performance gets worse, you will have made diagnosis much harder than it needs to be. Controlled experimentation is slower at first, but it makes the whole tuning process more reliable.

This mindset is especially useful when your remote-access stack intersects with broader infrastructure or cloud design decisions. If you are evaluating platform-level changes, our guide to architecting infrastructure patterns shows why disciplined architecture matters before growth creates complexity. For VPNs, the same rule applies: design for observability first, then scale.

7. Troubleshoot by user symptom, not by vendor feature

Slow browsing versus slow file transfer versus failed login

VPN problems rarely present uniformly. A user may be able to browse internal sites but not transfer files, or may connect successfully but struggle with one specific legacy application. Another common pattern is that the tunnel connects but the first minute is slow because DNS, policy sync, or route updates are delayed. Mapping the symptom to the likely layer is the fastest path to resolution.

Slow browsing usually points to routing or DNS. Slow file transfer often points to MTU, retransmissions, or insufficient bandwidth headroom. Failed login or repeated disconnects often point to authentication, client health, or endpoint security conflicts. If you document these patterns in your service desk knowledge base, you’ll reduce resolution time and make the team less dependent on tribal knowledge. That is particularly valuable in hybrid environments where staff rotate, contractors join temporarily, and device baselines differ.

Common endpoint conflicts that look like VPN issues

Endpoint security tools, firewalls, battery-saving modes, and NIC power management can all mimic network failure. A user may believe the VPN has dropped, when in reality the device suspended the adapter or a security agent delayed packet flow. This is why client troubleshooting needs to include endpoint state, OS version, and third-party software checks. The best VPN teams do not stop at the tunnel; they inspect the endpoint context as well.

When establishing support procedures, think in terms of repeatable playbooks rather than one-off fixes. If you regularly handle upgrades, client rollbacks, and compatibility problems, your team may benefit from operational patterns similar to those outlined in vpn client troubleshooting. If the issue is broader and affects multiple sites or internal segments, you may need to inspect the surrounding topology using principles from site-to-site vpn setup planning as well. Remote access does not exist in isolation; it sits inside a larger network fabric.

Escalation criteria that save time

Create clear thresholds for escalation. For example, escalate if tunnel establishment exceeds a defined time for more than X percent of users, if packet loss exceeds a chosen threshold across a pilot group, or if one region consistently underperforms compared with others. Explicit thresholds stop support teams from debating whether a problem is “real enough” to investigate. They also help you prioritise changes based on business impact rather than noise.

A mature escalation model is part technical and part organisational. The same logic that helps teams adapt to change in other domains, such as turning expert panels into local revenue, applies here: the process works when it is structured, repeatable, and measurable. VPN support should be equally disciplined.

8. A practical AnyConnect tuning checklist for UK teams

Baseline before you change anything

Before applying new settings, document current tunnel performance, authentication timing, key applications, and user complaints. Capture representative samples from multiple locations and connection types, including home fibre, hotel Wi-Fi, and mobile tethering. If possible, collect a business-hours baseline and a Monday-morning peak baseline, because those often reveal different bottlenecks. Baseline data turns opinions into engineering evidence.

Once the baseline is in place, group changes into small, controlled batches. For example, first address MTU and fragmentation, then review split tunnelling, then evaluate DNS and authentication, and finally optimise monitoring and alerting. Keep a change log that records the exact setting, timestamp, pilot group, and observed effect. This is the simplest way to avoid repeating mistakes later.

Recommended order of operations

For most UK AnyConnect environments, the order matters. First, ensure the tunnel is stable by resolving fragmentation and MTU problems. Second, improve traffic mix with sensible split-tunnelling rules. Third, remove login and DNS friction that affects perceived speed. Fourth, validate capacity and concurrency against actual usage. Fifth, create dashboards that keep the system tuned after the initial project is complete.

Teams that skip straight to “add more bandwidth” often spend money without fixing the root cause. Conversely, teams that only adjust the client may miss deeper path issues in the gateway, DNS, or identity layer. The right sequence is the one that resolves the widest class of issues with the least operational risk. If you need a broader procurement lens, our guidance on vpn deployment guide and business vpn uk can help you compare options more confidently.

A table of common problems and tuning actions

9. When to consider managed support or architectural change

Signs that tuning alone is not enough

Sometimes performance issues are symptoms of a larger design mismatch. If your team has outgrown a single concentrator, if internal apps are increasingly SaaS-based, or if you need stronger segmentation between staff, contractors, and third parties, a pure tuning exercise may only buy time. That does not mean the work was wasted; it means you’ve identified the point at which architectural change becomes the next lever. Good tuning clarifies when to stop tuning and start redesigning.

If you find yourself juggling too many exceptions, custom routes, or one-off endpoint fixes, consider whether the operating model is too complex for an in-house team to manage comfortably. In that case, a hybrid approach using managed vpn services uk may reduce administrative burden while improving consistency. The best managed service is one that gives you visibility and control, not one that hides the important details.

How to evaluate a managed service without losing control

Look for providers that can show you capacity planning, change control, monitoring dashboards, and support for device diversity. Ask how they handle MTU issues, split-tunnel policy changes, and regional performance variations. Confirm whether they can demonstrate the difference between transport-layer problems, authentication delays, and application-routing issues. A provider that can only say “we rebooted the gateway” is not enough for a serious UK business environment.

From a procurement perspective, compare the service on speed, observability, policy flexibility, and exit strategy. A strong service should reduce operational overhead while keeping your team informed. If you are still deciding whether to build, buy, or outsource parts of the stack, our broader analysis on build vs buy thinking translates well to remote-access decisions, even though the domain differs. The procurement logic is the same: choose the option that aligns with your actual operating capacity.

Why architectural flexibility matters in the UK market

UK organisations often need to balance compliance, data residency concerns, mixed device estates, and budget constraints. That makes flexibility valuable, because your remote-access design may evolve as your workforce, cloud footprint, and security requirements change. A rigid architecture can become expensive to maintain if it cannot adapt to new authentication methods, new collaboration tools, or new segmentation needs. The result is not only higher cost but also lower user satisfaction and more support overhead.

Think of your VPN platform as part of a broader secure access architecture rather than a standalone product. If you later expand into ZTNA, private access, or segmented site interconnectivity, the lessons from this tuning project will still help. And if you need to understand the adjacent network design space, our guide to site-to-site vpn setup can help you distinguish between branch connectivity and user remote access. Those are related, but not interchangeable, problems.

10. Conclusion: make performance predictable, not just faster

The most successful VPN performance projects do not chase maximum speed in isolation. They reduce variability, remove avoidable bottlenecks, and make the user experience predictable across different devices, locations, and workload types. For UK distributed teams, that usually means measuring the real baseline, fixing MTU and fragmentation first, using split tunnelling intentionally, and tracking the metrics that map to end-user pain. Once those foundations are in place, AnyConnect becomes much easier to support and scale.

If you are designing or improving remote access now, treat this as part of a broader operational discipline. Good performance tuning supports productivity, security, and user trust at the same time. For adjacent guidance, revisit our practical resources on vpn client troubleshooting, ssl vpn configuration, and vpn deployment guide. Used together, they give you a fuller view of what it takes to deliver secure remote access that feels fast, stable, and manageable.

Related Reading

• Secure Remote Access UK - A strategic overview of modern access patterns for distributed teams.
• Business VPN UK - Compare operational priorities and deployment trade-offs for UK organisations.
• Managed VPN Services UK - Learn when outsourcing VPN operations makes sense.
• VPN Client Troubleshooting - A practical support guide for resolving endpoint and connection issues.
• Site-to-Site VPN Setup - Understand how branch connectivity differs from user remote access.

In most environments, the quickest win is fixing MTU and fragmentation problems, followed by sensible split tunnelling. Those two changes often eliminate the most obvious causes of slowness without requiring a major redesign.

2) Should I tunnel all traffic for better security?

Not necessarily. Full tunnelling can improve central visibility, but it often adds latency and load for SaaS and public internet traffic. A policy-based split tunnel is usually the better balance for UK distributed teams.

3) Why does VPN work for browsing but fail on file uploads?

That pattern often points to MTU or fragmentation issues. Small packets may succeed while larger payloads get dropped or repeatedly retransmitted, causing uploads to stall.

4) How do I know if bandwidth or latency is the real problem?

Latency-sensitive applications feel slow even on high-bandwidth links. Test response times, packet loss, and retransmissions, not just Mbps. Throughput is only one part of the user experience.

5) When should I consider a managed VPN service?

Consider managed support when your team lacks time for detailed tuning, when performance issues are recurring across regions, or when you need stronger monitoring and operational discipline than you can easily maintain in-house.