cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19692
Views
10
Helpful
19
Replies

Slow upload speeds to Internet via ASA 5520.

whiteford
Level 1
Level 1

Hello,

I'm pretty sure this is a firewall issue, let me explain the issue I have.

Setup:

We have 2 ASA 5520's in Active/standby mode. The 'outside' port it connected to a VLAN on a 3750 switch where our 50mb lease line is (ISP Cisco router). The 'inside' of the ASA goes into another VLAN on the 3750 switch where our internal LAN switches are. On this 3750 switch there are various other VLANs that are sub-interfaces on the ASA via the trunk from the 3750 to ASA.

I've been running some speed test for our Internet lease line out of hours. It is a 50mb line and download speeds are around the 47mb mark which is fine.

I'm using http://speed.redstonemanaged.co.uk/ and http://www.speedtest.net/

Now the issue, the upload speeds are only ever 8-11mb and I have tried it on variuos different location on the internal LAN and get the same results.

If I go onto a server in a VLAN on the 3750 switch again I get the same issue, as the servers travel via the trunk to the ASA and out to the 'outside' interface to the VLAN where the Internet router is.

Now if I put a laptop directly into this outside VLAN on the 3750 where our 'outside' interface of the ASA is and ISP router then I get an upload of 47mb! I had to give the laptop a public IP and the gateway of the ISP router.

It just seems anything that has to pass through the firewall it has an slow issue transmitting/uploading data outbound to the Internet.

Our ASA also have the IPS module, I turned this off and it made little difference. To turn the module off (only way I know) is to use Cisco IPS Manager Express > confgiuration > Event Action Rules > Rules0 > disable event action. Also on the ASA usign the ASDM I went to Service Policy Rules and unticked the interfaces to monitor.

Can you thing of any other steps I can do? Is it a NAT/PAT issue? I am lost for ideas.

Thanks

19 Replies 19

v.shearer
Level 1
Level 1

I am getting the same issue with 5520's in active/standby running 8.2(1). 25Mbit dedicated link and get 20-27Mbit download and 8-11 upload.

If I run the tests infront of the ASA's then it is fine, could it be a bottleneck? I thought maybe it's badly configured rules or NAT's.

suschoud
Cisco Employee
Cisco Employee

try bypassing the ips,that is do not send traffic to ips module.

it is done using commands within asa.

m not sure what ur config is/

please paste " sh run policy-map " command o/put.I'll get the speed up. :)

hTH

sUSHil

I did try bypassing the IPS already, but could be doig it wrong as the upload speed was still 10mb or so.

Here is my output:

sh run policy-map

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

policy-map DMZ1Servers-policy

class DMZ1Servers-class1

ips inline fail-open sensor vs0

policy-map outside-policy

class outside-class

ips inline fail-open sensor vs0

policy-map DMZ6-policy

class DMZ6-class

ips inline fail-open sensor vs0

policy-map DMZ2-policy

class DMZ2-class

ips inline fail-open sensor vs0

policy-map DMZ5-policy

class DMZ5-class

ips inline fail-open sensor vs0

policy-map DMZ3-policy

class DMZ3-class

ips inline fail-open sensor vs0

policy-map DMZ10-policy

class DMZ10-class

ips inline fail-open sensor vs0

policy-map DMZ4-policy

class DMZ4-class

ips inline fail-open sensor vs0

Put in the commands below :

###

policy-map DMZ1Servers-policy

no class DMZ1Servers-class1

policy-map outside-policy

no class outside-class

policy-map DMZ6-policy

no nclass DMZ6-class

policy-map DMZ2-policy

no class DMZ2-class

policy-map DMZ5-policy

no class DMZ5-class

policy-map DMZ3-policy

no class DMZ3-class

policy-map DMZ10-policy

no class DMZ10-class

policy-map DMZ4-policy

no class DMZ4-class

####

Tried this, but it didn't make any difference to my upload speeds.

will.joshua
Level 1
Level 1

I just posted a Conversation....I have the exact same issue.......Except for mine is download speeds....I used the same test servers you do...

We're having the same issue - twin ASA5510s in Active/Passive failover.  In front of the ASAs we can get our full 15MB, but behind them we get 1.5MB to maybe 9MB (it's all over the place but tends to be under 3MB).  We isolated one of the firewalls so our test traffic was the only traffic going through it but it made no difference.

We hired a Cisco engineer to bench the unit, wipe our configuration and test it again but he duplicated our symptoms.  The problem seems to be inherent to the unit, but even the engineer hadn't heard of the issue nor could he fix it.

I wonder if there was a bad batch that came out of manufacturing with a defect?

Have you tried to remove threat detection and http inspection?

sh run threat

remove the lines with a "no" in front of them.

pls. check interface errors "sh int | i errors". Are you doing any kind of content scanning for the hosts that are behind the ASA? Any IDS devices monitoring the traffic? Any packet shapping devices?

Beside that we need to collect captures on ingress and egress interfaces and see where the delay is coming from.

-KS

I got it all fixed yesterday.

As the other post mentioned do you have any IDS infront of your firewalls or do you have the IPS modules installed in your ASA's?  In the end it was our IPS module, we had to enter the kernel mode of the IPS module using the service account and amend the RegexDepth setting for the upload as is fixed for upload and for downloads it wasn't so it was sort of throttling the upload speed so we "relaxed" this.  If you need the commands I used let me know?

Andy, kusankar,

Thanks to you both for your prompt replies.  I'll try to do your effort justice with my own.

There are no IDS devices upstream from the ASAs.  I'm not sure if our ASAs have the IPS module installed, but then I don't know what the IPS module is.  A quick walk through the ASDM doesn't show anything, but there may be a difference in terminology.

I am not conversant with the IOS or working at the Cisco CLI, but I am willing to give anythng a shot.  Step-by-step instructions would be awesome.  If it makes any difference, we're running v7.2(2) of the firmware and I have v5.2(2) of the ASDM.

Thanks again for your help,

Paul

I would suggest upgrading your firmware at some point, 8.0.x and the lastest ASDM.  They offer lots of bug fixes plus new features, the newer ASDM (version 6.0.x) is much better.  Try 8.04 (mature) or 8.0.5 (newish).

As you are running in failover mode with 2 ASA's you can upgrade one > reload > failover to the other > upgrade > reload and there will be no downtime.  Both have to be on the save firmware for the failover to continue to work.   I can get a url on this if you need it.

The IPS module is a physical device they sits in your ASA, from the CLI on the ASA type "session 1" and see if you get a prompt.

Please rate if you find any of this helpful.

Andy,

Since the IPS module is a physical device rather than a software feature, I'm pretty sure we don't have one.  Running your command from the CLI in the ASDM returns "Card in slot 1 did not respond to session request".  When I look at the rear of the ASA, I can see an expansion slot blanking plate so I think it's safe to say I don't have an IPS module.  I take it this implies my problem is different from yours.

To be thorough, I ran the "sh int | i errors" command suggested by kusankar.  Here is the result of that:

0 input errors, 16455 CRC, 0 frame, 0 overrun, 16455 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 9682983 CRC, 0 frame, 0 overrun, 9682983 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets

So it looks like something is generating CRC errors, but that may be normal.  I ran the command multiple times and those error counts are incrementing.

Lastly, I would be very interested in any assistance you can offer upgrading the firmware on my ASAs.

Thanks again,

Paul

Need to fix these CRC errors ASAP.

Issue sh int e0/0 or which ever is appropriate on all the interfaces and find out which interface is showing these errors.

Then see what cable connects that port to which device.  Try the following one at a time.

1. clear interface

2. set the speed and duplex to the same on both the ASA as well as the swtich end

3. change the cable

4. change the port on the swtich and watch the swtich port for errors.

after each change 2,3,4 issue sh inter | i errors.

Once you fix this you should see better results.

You are running an older code where threat detection was not introduced.

Upgrading the ASA code will not resolve the problem.  Let us first take care of the CRC errors.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: