cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1112
Views
0
Helpful
18
Replies

ASA 5510 - strange three way handshakes

IgorHamzic
Level 1
Level 1

Hi all. We have a following situation happening on the DMZ of our ASA 5510.We first caught the problem when one of the users notified us that transfer of files from a server in the DMZ starts OK but slows down to a crawl.We have tested the claim and have found that the same thing happening.Sometimes the transfer goes OK,sometimes it goes to a crawl(beneath 40k) and sometimes it slows down a bit but finishes in time.This mostly happens with large files.

We have further viewed the tcp dump from both sides(from the server side on the DMZ and from a host just before the ASA).Sometimes we see on the server side ACK's that come in triplicates and that server side seems to send packets in a random order.The problem only happens on the server side as the tcp dump from the host side seems OK.

We believe the problem is ASA related but we don't know what could be causing it.Any ideas?

18 Replies 18

a.alekseev
Level 7
Level 7

try to setup "speed" "duplex" manually...

It's already setup like that.

Can you please post the output of the following

show asp drop

show interface (after sanitizing the IPs)

Regards

Farrukh

The outputs are in attachments.

I'm afraid you will have to do the following before capturing these commands:

clear asp drop

clear interface

then initiate this slow transfer, once you finish issue the show commands previously mentioned.

Regards

Farrukh

OK. I entered the clear commands and have issued show asp drop and show interface over a period of time as you can see in the attachments.

You certainly have a lot of TCP-related errors for sure. This does not seem to be normal for such a short interval (after the clear asp drop). Duplex issue seems to be OK as there are no real errors (except a few overruns on the inside interface). You could try to make a tcp-map matching on your application flow and try to allow the following:

access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host

class-map slowbw-classmap

match access-list tcpmaplist

tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow

policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map

Regards

Farrukh

Can you enable logging and check the tcp session like you should see "torn down" immediately else u should allow MSS option in ASA.

Farukh bhai what's ur opinios about this?

A better option would be to use:

capture capture_name type asp-drop all

And then see if this concerned traffic is included in the capture file.

Regards

Farrukh

I'll try the capture suggestion and I'll see what I get. I'll keep you posted.

I did a capture as suggested. I get the following messages when I enter the show capture command.

547: 16:17:12.634748 x.x.x.x.80 > y.y.y.y.35167: . 1399302031:1399303399(1368) ack 332783732 win 46

548: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303399:1399303935(536) ack 332783732 win 46

549: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303935:1399305303(1368) ack 332783732 win 46

550: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399305303:1399306135(832) ack 332783732 win 46

551: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399306135:1399307503(1368) ack 332783732 win 46

X.X.X.X being server in the DMZ and Y.Y.Y.Y being the host on the inside.Any thoughts?

Did you try the following?:

access-list tcpmaplist permit ip host host

access-list tcpmaplist permit ip host host

class-map slowbw-classmap

match access-list tcpmaplist

tcp-map netpro-map

exceed-mss allow

invalid-ack allow

queue-limit 250 timeout 20

window-variation allow

policy-map global_policy

class slowbw-classmap

set connection advanced-options netpro-map

Regards

Farrukh

Hi.Sorry for the late reply but I had an emergency to resolve since I last wrote.I also have some new information.Our server admin told us that the problem might be in sliding windows when traffic goes over the ASA.He put a static window size of 2 on the server and he achieved respectable speeds.

I will try the solution you suggested as I think the window-variation allow part will help a lot.

One question though as I'm a bit new with policies on the ASA.Will this solution affect any other part of the global policy?I have some other things configured in the global policy and wouldn't want to nullify them so I want to be sure.

No it it will not because you will be using an ACL to restrict these actiosn two these hosts only.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: