Problems with slow access to a certain site.

Unanswered Question
Feb 26th, 2010
User Badges:

We are experiencing very slow speeds when accessing the below link. We are going through a 7.2.1 525 PIX and using PAT.


When I hook up a workstation "in front" of the firewall the speed is acceptable.


I don't see anything in the config directly relating to this site. There seems to be some interaction between this download and our firewall but I am at a loss.


Downloads of pdf's from other sites seem fine.



http://www1.atitesting.com/ati_next_gen/ati/contents/library/en-us/full_rn_rm_ams_7_1.pdf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Fri, 02/26/2010 - 11:20
User Badges:
  • Cisco Employee,

Make sure

1. you dont' have any speed duplex issues (sh int)

2. Make sure there are no errors incrementing on the interfaces (sh int | i errors) type the command a couple of times.

3. Make sure you do not have http inspection enabled.

4. Do you have any content scanning devices? like CSC module or websense?


-KS

dporod Fri, 02/26/2010 - 11:41
User Badges:

I do not see any speed/duplex issues.


I do see a couple errors on the outside interface but they don't seem to be incrementing fast.

     2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort


HTTP is enabled. I could disable it. To tell the truth I don't understand what the "inspect" commands do.


     policy-map global_policy
      class inspection_default
       inspect dns migrated_dns_map_1
       inspect ftp
       inspect ils
       inspect netbios
       inspect rsh
       inspect rtsp
       inspect skinny
       inspect sqlnet
       inspect sunrpc
       inspect tftp
       inspect xdmcp
       inspect h323 ras
       inspect http
      class class_sip_udp
       inspect sip


We Do have Websense but the addresses I am trying from are not being filtered.


I appreciate your help:)

Kureli Sankar Fri, 02/26/2010 - 11:45
User Badges:
  • Cisco Employee,

Interface errors incrementing should be looked at and resolved.

Pls. remove http inspection. If you have url-server configured on this firewall it will enable it in the back ground.


You can read about inspect http here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782


Give it a shot once insepction is removed and let us know the result.


-KS

Kureli Sankar Fri, 02/26/2010 - 12:27
User Badges:
  • Cisco Employee,

One other thing. See if you have TD enabled.


sh run threat


If so pls. disable and run the test.


sh run threat get the lines and get into conf t and copy and paste the threat lines with a "NO" in front of them.


-KS

dporod Fri, 02/26/2010 - 12:34
User Badges:

When I did the sh run threat I get an i"invalid input" response.


I disabled inspect http and it seems to have helped.


Still looking at the interface errors.

ssocsupport Mon, 03/01/2010 - 01:03
User Badges:

Boss, sometimes the invalid dns entry configured in the client's PC may cause.


Identify, if the problem is with one user and all the users.


Try to check the dns server ip address configured.


disabling the http inspection is vulnerable.


regards,

ssoc support

dporod Mon, 03/01/2010 - 05:48
User Badges:

So what would be the danger of leaving "inpect http" disabled?

dporod Mon, 03/01/2010 - 07:18
User Badges:

Hi Kusankar, I read the link you provided. From what I understand inspect http will be enabled in the background if url-server is configured, even if the inspect http is removed.


We do not filter all of our IP address with the "filter url http" command, just our problem areas.

Kureli Sankar Mon, 03/01/2010 - 10:01
User Badges:
  • Cisco Employee,

Yes, since you mentioned that you have a filter not to do filtering for this website and it still sees latency - meaning you were inspected by the explicit inspection configured under the policy-map and not  on the back ground one that url-server does automatically.


Something in the http inspection and this website doesn't agree with each other. If you would like to get to the bottom of it, pls. open a TAC case and investigate it further as captures, debugs and syslogs will have to be collected and analyzed.



-KS

Actions

This Discussion