ASA 5510 - strange three way handshakes

Unanswered Question
Jun 18th, 2008

Hi all. We have a following situation happening on the DMZ of our ASA 5510.We first caught the problem when one of the users notified us that transfer of files from a server in the DMZ starts OK but slows down to a crawl.We have tested the claim and have found that the same thing happening.Sometimes the transfer goes OK,sometimes it goes to a crawl(beneath 40k) and sometimes it slows down a bit but finishes in time.This mostly happens with large files.

We have further viewed the tcp dump from both sides(from the server side on the DMZ and from a host just before the ASA).Sometimes we see on the server side ACK's that come in triplicates and that server side seems to send packets in a random order.The problem only happens on the server side as the tcp dump from the host side seems OK.

We believe the problem is ASA related but we don't know what could be causing it.Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 06/18/2008 - 10:40

Can you please post the output of the following

show asp drop

show interface (after sanitizing the IPs)

Regards

Farrukh

Farrukh Haroon Thu, 06/19/2008 - 00:49

I'm afraid you will have to do the following before capturing these commands:

clear asp drop

clear interface

then initiate this slow transfer, once you finish issue the show commands previously mentioned.

Regards

Farrukh

Farrukh Haroon Thu, 06/19/2008 - 03:26

You certainly have a lot of TCP-related errors for sure. This does not seem to be normal for such a short interval (after the clear asp drop). Duplex issue seems to be OK as there are no real errors (except a few overruns on the inside interface). You could try to make a tcp-map matching on your application flow and try to allow the following:

access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host

class-map slowbw-classmap

match access-list tcpmaplist

tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow

policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map

Regards

Farrukh

nomair_83 Thu, 06/19/2008 - 03:30

Can you enable logging and check the tcp session like you should see "torn down" immediately else u should allow MSS option in ASA.

Farukh bhai what's ur opinios about this?

Farrukh Haroon Thu, 06/19/2008 - 03:42

A better option would be to use:

capture capture_name type asp-drop all

And then see if this concerned traffic is included in the capture file.

Regards

Farrukh

IgorHamzic Thu, 06/19/2008 - 03:53

I'll try the capture suggestion and I'll see what I get. I'll keep you posted.

IgorHamzic Fri, 06/20/2008 - 06:53

I did a capture as suggested. I get the following messages when I enter the show capture command.

547: 16:17:12.634748 x.x.x.x.80 > y.y.y.y.35167: . 1399302031:1399303399(1368) ack 332783732 win 46

548: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303399:1399303935(536) ack 332783732 win 46

549: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303935:1399305303(1368) ack 332783732 win 46

550: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399305303:1399306135(832) ack 332783732 win 46

551: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399306135:1399307503(1368) ack 332783732 win 46

X.X.X.X being server in the DMZ and Y.Y.Y.Y being the host on the inside.Any thoughts?

Farrukh Haroon Fri, 06/20/2008 - 07:07

Did you try the following?:

access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host

class-map slowbw-classmap

match access-list tcpmaplist

tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow

policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map

Regards

Farrukh

IgorHamzic Mon, 06/23/2008 - 00:08

Hi.Sorry for the late reply but I had an emergency to resolve since I last wrote.I also have some new information.Our server admin told us that the problem might be in sliding windows when traffic goes over the ASA.He put a static window size of 2 on the server and he achieved respectable speeds.

I will try the solution you suggested as I think the window-variation allow part will help a lot.

One question though as I'm a bit new with policies on the ASA.Will this solution affect any other part of the global policy?I have some other things configured in the global policy and wouldn't want to nullify them so I want to be sure.

Farrukh Haroon Mon, 06/23/2008 - 00:57

No it it will not because you will be using an ACL to restrict these actiosn two these hosts only.

Regards

Farrukh

IgorHamzic Mon, 06/23/2008 - 02:09

I was asking because later if the problem is solved I will have to modify the access list to apply the changes to other ranges,VPN clients and so on.

IgorHamzic Mon, 06/23/2008 - 02:50

Just tested the configuration with our server admin and we haven't seen an improvement.The transfer seems a bit more dynamic(we see a good transfer speed then it drops to some silly values then rises and so on) but there still a lot of speed drops with speeds beneath 10kbits.

Also I didn't see the option under tcp-map for invalid-ack allow and ASA won't accept the command.

IgorHamzic Mon, 06/23/2008 - 03:52

I have version 8.0(3) on my ASA and I don't see it it the command reference for the 8.0 version on the Cisco site.

Actions

This Discussion