cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
4
Helpful
2
Replies

ASA5510 with CSC-SSM-10 http painfully slow

gordonmarkus
Level 1
Level 1

Hi everyone,

I've just installed an ASA5510 running 7.1(2) with a CSC-SSM-10 module running 6.2.1599.0.

It all appears to work ok (ftp/smtp run ok), but when I ammend my policy-maps to redirect http traffic via the SSM module, web browsing becomes painfully slow, and this is with just myself using the network! If I take http out of my policy-map/access-list, then web browsing is normal speed.

Have any of you come accross this at all before?

Any advice appreciated!

Thanks,

-Gordon

2 Replies 2

suschoud
Cisco Employee
Cisco Employee

Hi Gordon,

When users initially connect to the Internet through the CSC SSM, the CSC SSM contacts the Trend Micro web server using an HTTP request to determine the URL category for URL filtering and blocking. The CSC SSM scans this HTTP request again, which results in two HTTP connections for one initial request.

This additional scan is unnecessary. HTTP performance improves when you prevent CSC SSM packets from being scanned unnecessarily.

You can significantly improve HTTP performance through the CSC SSM by configuring the adaptive security appliance to skip the scanning of management traffic. To improve HTTP performance, perform the following steps:

1) Determine the management IP:

hostname# show module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

------------Output Truncated--------------

Mgmt IP addr: 10.132.84.251 <<<<<<------- Management IP of CSC module

------------Output Truncated--------------

2) Exclude traffic from Management IP from being inspected by CSC module

Create class-maps which excludes management IP of CSC module from being inspected.

For Eg-

access-list csc-scan line 1 extended deny tcp host 10.132.84.251 any

access-list csc-scan line 2 extended permit tcp any any eq smtp

access-list csc-scan line 3 extended permit tcp any any eq pop3

access-list csc-scan line 4 extended permit tcp any any eq http

access-list csc-scan line 5 extended permit tcp any any eq ftp

class-map CSC-class

match access-list csc-scan

policy-map CSC-policy

class CSC-class

csc fail-open

service-policy CSC-policy global

############

Do rate helpful posts.

Regards,

Sushil

Hi,

Thanks for the feedback - I will give this a go when I get the chance.

Regards,

-Gordon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: