Server slow through ASA 5520 -Urgent

Unanswered Question
Apr 9th, 2008


In my office one new IBM AS/400 server is installed.The server internal ip is nated with public ip and opened 6013 port.The server applications are fast through local LAN but it's dead slow when it is accessing through internet by the outside users.For the verification I have directly conncted the server from the internet router and assign public IP into it.That time it's very fast for the outside users and running fine.Problem is whenever the CISCO ASA 5520 comes into the scenario the server going to dead slow for the outside users.

even i gave given any any in access-list, but still same problem.

please guide to solve this issue..



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Thu, 04/10/2008 - 03:25

Hi Somnath,

In your static statement for server, try adding "norandomseq" statement at the end.

If it doesnt work, remove the "norandomseq" and check MTU settings.

Do you have access lists applied to outbound of any interface?


somnath21 Thu, 04/10/2008 - 04:47


i have checked with "norandomseq" statement but it was not working. In my ASA MTU size is 1500, is it sufficient?

in the ASA only in bound access-list has been configured and placed in the outside interface.


access-list outside_in extended permit ip any any

access-list outside_in extended permit udp any any

access-list outside_in extended permit tcp any any

access-group outside_in in interface outside

Please help in this issue...



I'm curious if it could be your inspect rules. I would suggest to do a debug while you can verify traffic is going through the ASA. That way you can see what is going on, whether you are getting syn/acks resets.. or whatever.

As far are your MTU size, its standard, so no issues SHOULD be seen from that.

But, I believe the primary thing you should do is get a look at how the traffic is interacting with the ASA. The ACL you put in place cleared any type of access control. Unless you have another ACL attached to the IN interface in the "out" direction.


This Discussion