ASA throughput - slow internet traffic

Unanswered Question
Nov 13th, 2007
User Badges:

We have an ASA 5510 and when we do an isp test from the inside interface with a laptop directly behind the asa we get poor internet traffic downloads but if we disconnect the ASA and connect the laptop directly into the internet pipe and repeat the test we get a much better download. in fact 440k behind the firewall and 4meg in front of the asa.

The interfaces are setup for 100 full duplex and no crc issues or dropped packets etc..

any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Mon, 11/19/2007 - 07:41
User Badges:
  • Silver, 250 points or more

Check for any service-policy configuration. This might delay the throguhput since all the packets are inspected before being allowed to pass through.

kcaporaso Fri, 11/30/2007 - 05:49
User Badges:

I did and I removed the service-policy global_policy global and my downstream went back to the 12Mbps I'm used to. Now, what did I just do for my security?? Am I opened up for attacks? How can it be corrected properly. I'm in a TAC with cisco on this matter now... Will keep you all posted.

kcaporaso Thu, 11/29/2007 - 10:14
User Badges:

No ideas, but I'm having the exact same problem with an ASA 5505. I was reading some other posts about forcing the duplex, etc. rather than setting it to auto. Haven't played with that yet. I may mess with it to see if it helps.

CHRISTOPHER KANE Thu, 11/29/2007 - 15:10
User Badges:

Have you tried looking at MTU settings? It doesn't sound like you've added any VPNs yet, but if you have, you need to consider the reduction in available packet sizes if IPSec is being used. The standard 1500 byte size can no longer fit into the pipe because of the IPSec overhead. Additionally more so if you are using GRE in addition to IPSec. There should be ICMP Destination Unreachable, Fragmentation Needed but DF-bit set messages generated if the problem is MTU related. Often times, firewalls are configured to drop all ICMP and the MTU size issue never makes it back to the originating host/server. Its a shame that so many people feel that all ICMP is 'evil'. These specific messages (Type 3, Code 4) are pretty cool because they actually include what the host/server should set its MTU to for all packets to that particular destination.

If you are not running IPSec, MTU could still be an issue. If you are running in the clear, I'd place a sniffer on the outside interface of the ASA and see what kind of packet sizes you are generating as you egress the ASA as compared to when you are not using the ASA.




This Discussion