ASA 5510 - strange three way handshakes

Unanswered Question
Jun 18th, 2008
User Badges:

Hi all. We have a following situation happening on the DMZ of our ASA 5510.We first caught the problem when one of the users notified us that transfer of files from a server in the DMZ starts OK but slows down to a crawl.We have tested the claim and have found that the same thing happening.Sometimes the transfer goes OK,sometimes it goes to a crawl(beneath 40k) and sometimes it slows down a bit but finishes in time.This mostly happens with large files.

We have further viewed the tcp dump from both sides(from the server side on the DMZ and from a host just before the ASA).Sometimes we see on the server side ACK's that come in triplicates and that server side seems to send packets in a random order.The problem only happens on the server side as the tcp dump from the host side seems OK.

We believe the problem is ASA related but we don't know what could be causing it.Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Wed, 06/18/2008 - 05:01
User Badges:
  • Gold, 750 points or more

try to setup "speed" "duplex" manually...

Farrukh Haroon Wed, 06/18/2008 - 10:40
User Badges:
  • Red, 2250 points or more

Can you please post the output of the following


show asp drop

show interface (after sanitizing the IPs)


Regards


Farrukh

Farrukh Haroon Thu, 06/19/2008 - 00:49
User Badges:
  • Red, 2250 points or more

I'm afraid you will have to do the following before capturing these commands:


clear asp drop

clear interface


then initiate this slow transfer, once you finish issue the show commands previously mentioned.


Regards


Farrukh


IgorHamzic Thu, 06/19/2008 - 02:07
User Badges:

OK. I entered the clear commands and have issued show asp drop and show interface over a period of time as you can see in the attachments.




Farrukh Haroon Thu, 06/19/2008 - 03:26
User Badges:
  • Red, 2250 points or more

You certainly have a lot of TCP-related errors for sure. This does not seem to be normal for such a short interval (after the clear asp drop). Duplex issue seems to be OK as there are no real errors (except a few overruns on the inside interface). You could try to make a tcp-map matching on your application flow and try to allow the following:


access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host


class-map slowbw-classmap

match access-list tcpmaplist


tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow


policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map


Regards


Farrukh

nomair_83 Thu, 06/19/2008 - 03:30
User Badges:
  • Bronze, 100 points or more

Can you enable logging and check the tcp session like you should see "torn down" immediately else u should allow MSS option in ASA.


Farukh bhai what's ur opinios about this?


Farrukh Haroon Thu, 06/19/2008 - 03:42
User Badges:
  • Red, 2250 points or more

A better option would be to use:


capture capture_name type asp-drop all


And then see if this concerned traffic is included in the capture file.


Regards


Farrukh


IgorHamzic Thu, 06/19/2008 - 03:53
User Badges:

I'll try the capture suggestion and I'll see what I get. I'll keep you posted.

IgorHamzic Fri, 06/20/2008 - 06:53
User Badges:

I did a capture as suggested. I get the following messages when I enter the show capture command.


547: 16:17:12.634748 x.x.x.x.80 > y.y.y.y.35167: . 1399302031:1399303399(1368) ack 332783732 win 46

548: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303399:1399303935(536) ack 332783732 win 46

549: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303935:1399305303(1368) ack 332783732 win 46

550: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399305303:1399306135(832) ack 332783732 win 46

551: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399306135:1399307503(1368) ack 332783732 win 46


X.X.X.X being server in the DMZ and Y.Y.Y.Y being the host on the inside.Any thoughts?

Farrukh Haroon Fri, 06/20/2008 - 07:07
User Badges:
  • Red, 2250 points or more

Did you try the following?:



access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host


class-map slowbw-classmap

match access-list tcpmaplist


tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow


policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map


Regards


Farrukh


IgorHamzic Mon, 06/23/2008 - 00:08
User Badges:

Hi.Sorry for the late reply but I had an emergency to resolve since I last wrote.I also have some new information.Our server admin told us that the problem might be in sliding windows when traffic goes over the ASA.He put a static window size of 2 on the server and he achieved respectable speeds.

I will try the solution you suggested as I think the window-variation allow part will help a lot.

One question though as I'm a bit new with policies on the ASA.Will this solution affect any other part of the global policy?I have some other things configured in the global policy and wouldn't want to nullify them so I want to be sure.

Farrukh Haroon Mon, 06/23/2008 - 00:57
User Badges:
  • Red, 2250 points or more

No it it will not because you will be using an ACL to restrict these actiosn two these hosts only.


Regards


Farrukh

IgorHamzic Mon, 06/23/2008 - 02:09
User Badges:

I was asking because later if the problem is solved I will have to modify the access list to apply the changes to other ranges,VPN clients and so on.

IgorHamzic Mon, 06/23/2008 - 02:50
User Badges:

Just tested the configuration with our server admin and we haven't seen an improvement.The transfer seems a bit more dynamic(we see a good transfer speed then it drops to some silly values then rises and so on) but there still a lot of speed drops with speeds beneath 10kbits.

Also I didn't see the option under tcp-map for invalid-ack allow and ASA won't accept the command.

IgorHamzic Mon, 06/23/2008 - 03:52
User Badges:

I have version 8.0(3) on my ASA and I don't see it it the command reference for the 8.0 version on the Cisco site.

Actions

This Discussion