ASA5510 with CSC-SSM-10 http painfully slow

Unanswered Question
Sep 27th, 2008
User Badges:

Hi everyone,


I've just installed an ASA5510 running 7.1(2) with a CSC-SSM-10 module running 6.2.1599.0.


It all appears to work ok (ftp/smtp run ok), but when I ammend my policy-maps to redirect http traffic via the SSM module, web browsing becomes painfully slow, and this is with just myself using the network! If I take http out of my policy-map/access-list, then web browsing is normal speed.


Have any of you come accross this at all before?


Any advice appreciated!


Thanks,


-Gordon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
suschoud Mon, 09/29/2008 - 05:17
User Badges:
  • Gold, 750 points or more

Hi Gordon,



When users initially connect to the Internet through the CSC SSM, the CSC SSM contacts the Trend Micro web server using an HTTP request to determine the URL category for URL filtering and blocking. The CSC SSM scans this HTTP request again, which results in two HTTP connections for one initial request.


This additional scan is unnecessary. HTTP performance improves when you prevent CSC SSM packets from being scanned unnecessarily.


You can significantly improve HTTP performance through the CSC SSM by configuring the adaptive security appliance to skip the scanning of management traffic. To improve HTTP performance, perform the following steps:


1) Determine the management IP:


hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

------------Output Truncated--------------

Mgmt IP addr: 10.132.84.251 <<<<<<------- Management IP of CSC module

------------Output Truncated--------------


2) Exclude traffic from Management IP from being inspected by CSC module


Create class-maps which excludes management IP of CSC module from being inspected.


For Eg-


access-list csc-scan line 1 extended deny tcp host 10.132.84.251 any

access-list csc-scan line 2 extended permit tcp any any eq smtp

access-list csc-scan line 3 extended permit tcp any any eq pop3

access-list csc-scan line 4 extended permit tcp any any eq http

access-list csc-scan line 5 extended permit tcp any any eq ftp


class-map CSC-class

match access-list csc-scan


policy-map CSC-policy

class CSC-class

csc fail-open


service-policy CSC-policy global




############



Do rate helpful posts.



Regards,

Sushil

gordonmarkus Mon, 09/29/2008 - 06:00
User Badges:

Hi,


Thanks for the feedback - I will give this a go when I get the chance.


Regards,


-Gordon


Actions

This Discussion