Slow TCP response with ASA5505

Unanswered Question
Oct 25th, 2007

Hi everyone,

I've got an issue with a client of my running 7.2(2) on ASA5505. They use a business application called ESignal for some stock exchange analysis or whatever. The application doesn't work well after I installed and configured the ASA there. They experience unusually slow response (from 1 second before the ASA was used to 4-5 after that) and it seems that's a problem for them. Anyway, I made some research on the application and it seems it's using TCP (there's another one running on UDP...first I thought that UDP maybe the problem here but looks like it wasn't the right application...anyway) and a couple of ports have to be opened in outside direction:

http://kb.esignalcentral.com/al/12/4/article.asp?aid=1327&c=12&cp=1&cpc=40O2r6eeyG0Jfuy2sd5gAr4LG2c3

I haven't filtered anything and as I'm using NAT from a lower to higher security interface this should not be a problem (anyway ESignal have a diagnostic tool which I asked my customer to run tonight and see if any issues like closed ports arise). Besides that they have about 10-15 PCs running this application and as far as I remember it opens lots of small windows having constantly refreshing their information which means LOTS of simultaneous TCP sessions in my opinion. I'm sending you the configuration of the ASA (I've replaced sensitive output with xxx), please take a look if you find something wrong here. I've turned off the inspection engine, removed all the ACLs (same story with ACLs in all directions permitting everything), increased the timeouts (the conn timeout should be used for TCP, right?), anything that came to my mind and still no result. I'm not really willing to do reverse engineering of the application as I still got no response from the ESignal support team so I'm trying to find out what the problem is from here. Will appreciate any help!

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jaravinthan Thu, 10/25/2007 - 22:39

Hi,

Since you are running the application from inside interface which by default has higher securit level, you dont have to open any specific ports unless you have an ACL applied to it.

If you want to monitor any packet drops enable syslog debugging level for asdm and you check through it.

Hav you chceked the memory utilization and the number of connections/sec the device handles?

thegrave2000 Fri, 10/26/2007 - 07:32

Hi,

Do you mean enabling "debug asdm history 255" or what? How would it help?

My personal experience with ASA shows that besides vpn-specific debug like debug crypto bla-bla the only useful debug command is debug generic 255. I have it enabled - nothing suspicious. Only messages like this:

Oct 26 2007 18:19:48: %ASA-6-305012: Teardown dynamic TCP translation from inside:xxx/2291 to outside:yyy/11560 duration 0:02:30

The system log guide says:

Explanation The address translation slot was deleted.

So that's not the problem definitely.

Memory and CPU utilization are fine, simultaneous connections are no more than 2 or 3 per second so it's not that. A useful command I just saw gives the following output though:

show asp drop

Frame drop:

Invalid encapsulation 15646

No route to host 2

Reverse-path verify failed 1

Flow is denied by configured rule 9772

First TCP packet not SYN 50

TCP data exceeded MSS 27

TCP failed 3 way handshake 16

TCP packet SEQ past window 24

TCP DUP and has been ACKed 15382

Slowpath security checks failed 552

FP L2 rule drop 1817

Interface is down 3

Non-IP packet received in routed mode 1

The invalid encapsulation and TCP DUP and has been ACKed fields are constantly increasing. Any idea about the possible reasons for that? The first one I have a pretty good feeling where comes from but the second one bothers me pretty much.

Actions

This Discussion