HTTP slow after upgrade 7.0(4)->8.0(4)

vijay sanwal · ‎10-14-2008

After an upgrade from ASA version 7.0(4)to 8.0(4), HTTP has become very slow.

Partial page is downloaded every time but images and some other content download is very slow.

This setup worked fine with 7.0(4)

no dns-guard configured

HTTP traffic on 8088

class-map http_traffic, not configured for 8088.

addition or removal of inspect http to global policy, doesnt improve performance.

Connectivity:

User->Router->ASA->Router->Proxy Server-> Internet.

IP->ASA(PAT)->PROXY(PAT)->Internet

Capture shows:

lot of fragment and re-assembling (No idea if this existed earlier as well)

Right after clear asp drop, a show output is as follows:

show asp drop

Frame drop:

Invalid encapsulation (invalid-encap) 39

No route to host (no-route) 429

Flow is denied by configured rule (acl-drop) 29786

Unsupported IPV6 header (unsupport-ipv6-hdr) 79

First TCP packet not SYN (tcp-not-syn) 1711

TCP failed 3 way handshake (tcp-3whs-failed) 92

TCP RST/FIN out of order (tcp-rstfin-ooo) 10297

FP L2 rule drop (l2_acl) 4903

Dropped pending packets in a closed socket (np-socket-closed) 181

Last clearing: 08:28:31 CEDT Oct 14 2008 by enable_15

Flow drop:

SSL received close alert (ssl-received-close-alert) 1

MSS capture is clean>>

show capture mss-capture

0 packet captured

0 packet shown

Thanx in advance for the help.

(not possible to share show tech, please feel free to ask relevant queries)

abinjola · ‎10-15-2008

disable threat detection mechanism

vijay sanwal · ‎10-15-2008

Disabled threat detection entries, no difference in performance.

If we use port 80 for the proxy, instead of 8088, traffic works fine as it used to work with 7.0(4).

Plz assist.

Thanx in advance

with_joerg · ‎10-22-2008

Dear all,

we have the same problem since two weeks. However in our case port 80 only works fine as long as there are not to many http clients.

We have the setup:

http_clt>ASA/NAT>proxy_srv

It worked great with our old PIXv7.

Has this / have you ever found a solution to this?

--Joerg

vijay sanwal · ‎10-22-2008

No solutions as yet. Same here mate, even HTTP 80 isn't working fine now. May be it never worked earlier as well.

Farrukh Haroon · ‎10-22-2008

Can you post output of

show run all policy-map

Regards

Farrukh

vijay sanwal · ‎10-22-2008

Hi Farruk,

Well, I do not have the latest Policy-map. but we have played around with HTTP-80 and HTTP-8088 inspection through class-map.

HTTP inspection was enabled, disabled. NO issues with MSS as confirmed by MSS captures.

The setup is on end-customer site.

He just confirmed that a Static Nat resolves the issue, but obviously he cant use Static for 100s of users.

with_joerg · ‎10-30-2008

Dear all,

I want to note that in rev 8.0(4) there seem to be two distinct problems.

1. HTTP on non standard ports (which means not port 80) is slow, no matter which policy map (no inspect basic threats, no inspect http) etc. you apply or deactivate.

2. If you do HTTP over port 80 everything works very speedy as long as you use either static NAT or no NAT. Once you start to use PAT it becomes an unusable nightmare.

I personally have the impression that Cisco has to do some fixing here.

--Joerg

sguardino · ‎10-30-2008

I have been having problems with a GRE bug in 7.2(4), and TAC told me to upgrade to 8.0(3), not 8.0(4), as the latter is still full of bugs

-HTH