Problems with slow access to a certain site.

Unanswered Question
Feb 26th, 2010

We are experiencing very slow speeds when accessing the below link. We are going through a 7.2.1 525 PIX and using PAT.

When I hook up a workstation "in front" of the firewall the speed is acceptable.

I don't see anything in the config directly relating to this site. There seems to be some interaction between this download and our firewall but I am at a loss.

Downloads of pdf's from other sites seem fine.

http://www1.atitesting.com/ati_next_gen/ati/contents/library/en-us/full_rn_rm_ams_7_1.pdf

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Fri, 02/26/2010 - 11:20

Make sure

1. you dont' have any speed duplex issues (sh int)

2. Make sure there are no errors incrementing on the interfaces (sh int | i errors) type the command a couple of times.

3. Make sure you do not have http inspection enabled.

4. Do you have any content scanning devices? like CSC module or websense?

-KS

dporod Fri, 02/26/2010 - 11:41

I do not see any speed/duplex issues.

I do see a couple errors on the outside interface but they don't seem to be incrementing fast.

     2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort

HTTP is enabled. I could disable it. To tell the truth I don't understand what the "inspect" commands do.

     policy-map global_policy
      class inspection_default
       inspect dns migrated_dns_map_1
       inspect ftp
       inspect ils
       inspect netbios
       inspect rsh
       inspect rtsp
       inspect skinny
       inspect sqlnet
       inspect sunrpc
       inspect tftp
       inspect xdmcp
       inspect h323 ras
       inspect http
      class class_sip_udp
       inspect sip

We Do have Websense but the addresses I am trying from are not being filtered.

I appreciate your help:)

Kureli Sankar Fri, 02/26/2010 - 11:45

Interface errors incrementing should be looked at and resolved.

Pls. remove http inspection. If you have url-server configured on this firewall it will enable it in the back ground.

You can read about inspect http here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

Give it a shot once insepction is removed and let us know the result.

-KS

Kureli Sankar Fri, 02/26/2010 - 12:27

One other thing. See if you have TD enabled.

sh run threat

If so pls. disable and run the test.

sh run threat get the lines and get into conf t and copy and paste the threat lines with a "NO" in front of them.

-KS

dporod Fri, 02/26/2010 - 12:34

When I did the sh run threat I get an i"invalid input" response.

I disabled inspect http and it seems to have helped.

Still looking at the interface errors.

ssocsupport Mon, 03/01/2010 - 01:03

Boss, sometimes the invalid dns entry configured in the client's PC may cause.

Identify, if the problem is with one user and all the users.

Try to check the dns server ip address configured.

disabling the http inspection is vulnerable.

regards,

ssoc support

dporod Mon, 03/01/2010 - 05:48

So what would be the danger of leaving "inpect http" disabled?

dporod Mon, 03/01/2010 - 07:18

Hi Kusankar, I read the link you provided. From what I understand inspect http will be enabled in the background if url-server is configured, even if the inspect http is removed.

We do not filter all of our IP address with the "filter url http" command, just our problem areas.

Kureli Sankar Mon, 03/01/2010 - 10:01

Yes, since you mentioned that you have a filter not to do filtering for this website and it still sees latency - meaning you were inspected by the explicit inspection configured under the policy-map and not  on the back ground one that url-server does automatically.

Something in the http inspection and this website doesn't agree with each other. If you would like to get to the bottom of it, pls. open a TAC case and investigate it further as captures, debugs and syslogs will have to be collected and analyzed.

-KS

Actions

This Discussion