HTTP slow after upgrade 7.0(4)->8.0(4)

Unanswered Question
Oct 14th, 2008
User Badges:

After an upgrade from ASA version 7.0(4)to 8.0(4), HTTP has become very slow.

Partial page is downloaded every time but images and some other content download is very slow.

This setup worked fine with 7.0(4)

no dns-guard configured

HTTP traffic on 8088

class-map http_traffic, not configured for 8088.

addition or removal of inspect http to global policy, doesnt improve performance.


User->Router->ASA->Router->Proxy Server-> Internet.


Capture shows:

lot of fragment and re-assembling (No idea if this existed earlier as well)

Right after clear asp drop, a show output is as follows:

show asp drop

Frame drop:

Invalid encapsulation (invalid-encap) 39

No route to host (no-route) 429

Flow is denied by configured rule (acl-drop) 29786

Unsupported IPV6 header (unsupport-ipv6-hdr) 79

First TCP packet not SYN (tcp-not-syn) 1711

TCP failed 3 way handshake (tcp-3whs-failed) 92

TCP RST/FIN out of order (tcp-rstfin-ooo) 10297

FP L2 rule drop (l2_acl) 4903

Dropped pending packets in a closed socket (np-socket-closed) 181

Last clearing: 08:28:31 CEDT Oct 14 2008 by enable_15

Flow drop:

SSL received close alert (ssl-received-close-alert) 1

MSS capture is clean>>

show capture mss-capture

0 packet captured

0 packet shown

Thanx in advance for the help.

(not possible to share show tech, please feel free to ask relevant queries)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abinjola Wed, 10/15/2008 - 04:47
User Badges:
  • Cisco Employee,

disable threat detection mechanism

vijay sanwal Wed, 10/15/2008 - 22:34
User Badges:

Disabled threat detection entries, no difference in performance.

If we use port 80 for the proxy, instead of 8088, traffic works fine as it used to work with 7.0(4).

Plz assist.

Thanx in advance

with_joerg Wed, 10/22/2008 - 00:14
User Badges:

Dear all,

we have the same problem since two weeks. However in our case port 80 only works fine as long as there are not to many http clients.

We have the setup:


It worked great with our old PIXv7.

Has this / have you ever found a solution to this?


vijay sanwal Wed, 10/22/2008 - 00:44
User Badges:

No solutions as yet. Same here mate, even HTTP 80 isn't working fine now. May be it never worked earlier as well.

Farrukh Haroon Wed, 10/22/2008 - 04:08
User Badges:
  • Red, 2250 points or more

Can you post output of

show run all policy-map



vijay sanwal Wed, 10/22/2008 - 04:41
User Badges:

Hi Farruk,

Well, I do not have the latest Policy-map. but we have played around with HTTP-80 and HTTP-8088 inspection through class-map.

HTTP inspection was enabled, disabled. NO issues with MSS as confirmed by MSS captures.

The setup is on end-customer site.

He just confirmed that a Static Nat resolves the issue, but obviously he cant use Static for 100s of users.

with_joerg Thu, 10/30/2008 - 07:08
User Badges:

Dear all,

I want to note that in rev 8.0(4) there seem to be two distinct problems.

1. HTTP on non standard ports (which means not port 80) is slow, no matter which policy map (no inspect basic threats, no inspect http) etc. you apply or deactivate.

2. If you do HTTP over port 80 everything works very speedy as long as you use either static NAT or no NAT. Once you start to use PAT it becomes an unusable nightmare.

I personally have the impression that Cisco has to do some fixing here.


sguardino Thu, 10/30/2008 - 09:28
User Badges:

I have been having problems with a GRE bug in 7.2(4), and TAC told me to upgrade to 8.0(3), not 8.0(4), as the latter is still full of bugs



This Discussion