08-08-2009 04:21 AM - edited 03-11-2019 09:04 AM
Hello,
I'm pretty sure this is a firewall issue, let me explain the issue I have.
Setup:
We have 2 ASA 5520's in Active/standby mode. The 'outside' port it connected to a VLAN on a 3750 switch where our 50mb lease line is (ISP Cisco router). The 'inside' of the ASA goes into another VLAN on the 3750 switch where our internal LAN switches are. On this 3750 switch there are various other VLANs that are sub-interfaces on the ASA via the trunk from the 3750 to ASA.
I've been running some speed test for our Internet lease line out of hours. It is a 50mb line and download speeds are around the 47mb mark which is fine.
I'm using http://speed.redstonemanaged.co.uk/ and http://www.speedtest.net/
Now the issue, the upload speeds are only ever 8-11mb and I have tried it on variuos different location on the internal LAN and get the same results.
If I go onto a server in a VLAN on the 3750 switch again I get the same issue, as the servers travel via the trunk to the ASA and out to the 'outside' interface to the VLAN where the Internet router is.
Now if I put a laptop directly into this outside VLAN on the 3750 where our 'outside' interface of the ASA is and ISP router then I get an upload of 47mb! I had to give the laptop a public IP and the gateway of the ISP router.
It just seems anything that has to pass through the firewall it has an slow issue transmitting/uploading data outbound to the Internet.
Our ASA also have the IPS module, I turned this off and it made little difference. To turn the module off (only way I know) is to use Cisco IPS Manager Express > confgiuration > Event Action Rules > Rules0 > disable event action. Also on the ASA usign the ASDM I went to Service Policy Rules and unticked the interfaces to monitor.
Can you thing of any other steps I can do? Is it a NAT/PAT issue? I am lost for ideas.
Thanks
08-11-2009 05:54 AM
I am getting the same issue with 5520's in active/standby running 8.2(1). 25Mbit dedicated link and get 20-27Mbit download and 8-11 upload.
08-11-2009 05:57 AM
If I run the tests infront of the ASA's then it is fine, could it be a bottleneck? I thought maybe it's badly configured rules or NAT's.
08-11-2009 03:45 PM
try bypassing the ips,that is do not send traffic to ips module.
it is done using commands within asa.
m not sure what ur config is/
please paste " sh run policy-map " command o/put.I'll get the speed up. :)
hTH
sUSHil
08-11-2009 10:57 PM
I did try bypassing the IPS already, but could be doig it wrong as the upload speed was still 10mb or so.
Here is my output:
sh run policy-map
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ils
inspect pptp
inspect icmp
inspect icmp error
policy-map DMZ1Servers-policy
class DMZ1Servers-class1
ips inline fail-open sensor vs0
policy-map outside-policy
class outside-class
ips inline fail-open sensor vs0
policy-map DMZ6-policy
class DMZ6-class
ips inline fail-open sensor vs0
policy-map DMZ2-policy
class DMZ2-class
ips inline fail-open sensor vs0
policy-map DMZ5-policy
class DMZ5-class
ips inline fail-open sensor vs0
policy-map DMZ3-policy
class DMZ3-class
ips inline fail-open sensor vs0
policy-map DMZ10-policy
class DMZ10-class
ips inline fail-open sensor vs0
policy-map DMZ4-policy
class DMZ4-class
ips inline fail-open sensor vs0
08-12-2009 11:03 AM
Put in the commands below :
###
policy-map DMZ1Servers-policy
no class DMZ1Servers-class1
policy-map outside-policy
no class outside-class
policy-map DMZ6-policy
no nclass DMZ6-class
policy-map DMZ2-policy
no class DMZ2-class
policy-map DMZ5-policy
no class DMZ5-class
policy-map DMZ3-policy
no class DMZ3-class
policy-map DMZ10-policy
no class DMZ10-class
policy-map DMZ4-policy
no class DMZ4-class
####
08-13-2009 05:45 AM
Tried this, but it didn't make any difference to my upload speeds.
08-12-2009 07:19 PM
I just posted a Conversation....I have the exact same issue.......Except for mine is download speeds....I used the same test servers you do...
01-13-2010 10:49 AM
We're having the same issue - twin ASA5510s in Active/Passive failover. In front of the ASAs we can get our full 15MB, but behind them we get 1.5MB to maybe 9MB (it's all over the place but tends to be under 3MB). We isolated one of the firewalls so our test traffic was the only traffic going through it but it made no difference.
We hired a Cisco engineer to bench the unit, wipe our configuration and test it again but he duplicated our symptoms. The problem seems to be inherent to the unit, but even the engineer hadn't heard of the issue nor could he fix it.
I wonder if there was a bad batch that came out of manufacturing with a defect?
01-13-2010 11:01 AM
Have you tried to remove threat detection and http inspection?
sh run threat
remove the lines with a "no" in front of them.
pls. check interface errors "sh int | i errors". Are you doing any kind of content scanning for the hosts that are behind the ASA? Any IDS devices monitoring the traffic? Any packet shapping devices?
Beside that we need to collect captures on ingress and egress interfaces and see where the delay is coming from.
-KS
01-13-2010 11:39 AM
I got it all fixed yesterday.
As the other post mentioned do you have any IDS infront of your firewalls or do you have the IPS modules installed in your ASA's? In the end it was our IPS module, we had to enter the kernel mode of the IPS module using the service account and amend the RegexDepth setting for the upload as is fixed for upload and for downloads it wasn't so it was sort of throttling the upload speed so we "relaxed" this. If you need the commands I used let me know?
01-13-2010 12:07 PM
Andy, kusankar,
Thanks to you both for your prompt replies. I'll try to do your effort justice with my own.
There are no IDS devices upstream from the ASAs. I'm not sure if our ASAs have the IPS module installed, but then I don't know what the IPS module is. A quick walk through the ASDM doesn't show anything, but there may be a difference in terminology.
I am not conversant with the IOS or working at the Cisco CLI, but I am willing to give anythng a shot. Step-by-step instructions would be awesome. If it makes any difference, we're running v7.2(2) of the firmware and I have v5.2(2) of the ASDM.
Thanks again for your help,
Paul
01-13-2010 12:33 PM
I would suggest upgrading your firmware at some point, 8.0.x and the lastest ASDM. They offer lots of bug fixes plus new features, the newer ASDM (version 6.0.x) is much better. Try 8.04 (mature) or 8.0.5 (newish).
As you are running in failover mode with 2 ASA's you can upgrade one > reload > failover to the other > upgrade > reload and there will be no downtime. Both have to be on the save firmware for the failover to continue to work. I can get a url on this if you need it.
The IPS module is a physical device they sits in your ASA, from the CLI on the ASA type "session 1" and see if you get a prompt.
Please rate if you find any of this helpful.
01-13-2010 12:52 PM
Andy,
Since the IPS module is a physical device rather than a software feature, I'm pretty sure we don't have one. Running your command from the CLI in the ASDM returns "Card in slot 1 did not respond to session request". When I look at the rear of the ASA, I can see an expansion slot blanking plate so I think it's safe to say I don't have an IPS module. I take it this implies my problem is different from yours.
To be thorough, I ran the "sh int | i errors" command suggested by kusankar. Here is the result of that:
0 input errors, 16455 CRC, 0 frame, 0 overrun, 16455 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 9682983 CRC, 0 frame, 0 overrun, 9682983 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
So it looks like something is generating CRC errors, but that may be normal. I ran the command multiple times and those error counts are incrementing.
Lastly, I would be very interested in any assistance you can offer upgrading the firmware on my ASAs.
Thanks again,
Paul
01-13-2010 02:08 PM
Need to fix these CRC errors ASAP.
Issue sh int e0/0 or which ever is appropriate on all the interfaces and find out which interface is showing these errors.
Then see what cable connects that port to which device. Try the following one at a time.
1. clear interface
2. set the speed and duplex to the same on both the ASA as well as the swtich end
3. change the cable
4. change the port on the swtich and watch the swtich port for errors.
after each change 2,3,4 issue sh inter | i errors.
Once you fix this you should see better results.
You are running an older code where threat detection was not introduced.
Upgrading the ASA code will not resolve the problem. Let us first take care of the CRC errors.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: