02-26-2010 10:05 AM - edited 03-11-2019 10:15 AM
We are experiencing very slow speeds when accessing the below link. We are going through a 7.2.1 525 PIX and using PAT.
When I hook up a workstation "in front" of the firewall the speed is acceptable.
I don't see anything in the config directly relating to this site. There seems to be some interaction between this download and our firewall but I am at a loss.
Downloads of pdf's from other sites seem fine.
http://www1.atitesting.com/ati_next_gen/ati/contents/library/en-us/full_rn_rm_ams_7_1.pdf
02-26-2010 11:20 AM
Make sure
1. you dont' have any speed duplex issues (sh int)
2. Make sure there are no errors incrementing on the interfaces (sh int | i errors) type the command a couple of times.
3. Make sure you do not have http inspection enabled.
4. Do you have any content scanning devices? like CSC module or websense?
-KS
02-26-2010 11:41 AM
I do not see any speed/duplex issues.
I do see a couple errors on the outside interface but they don't seem to be incrementing fast.
2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
HTTP is enabled. I could disable it. To tell the truth I don't understand what the "inspect" commands do.
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect h323 ras
inspect http
class class_sip_udp
inspect sip
We Do have Websense but the addresses I am trying from are not being filtered.
I appreciate your help:)
02-26-2010 11:45 AM
Interface errors incrementing should be looked at and resolved.
Pls. remove http inspection. If you have url-server configured on this firewall it will enable it in the back ground.
You can read about inspect http here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782
Give it a shot once insepction is removed and let us know the result.
-KS
02-26-2010 12:27 PM
One other thing. See if you have TD enabled.
sh run threat
If so pls. disable and run the test.
sh run threat get the lines and get into conf t and copy and paste the threat lines with a "NO" in front of them.
-KS
02-26-2010 12:34 PM
When I did the sh run threat I get an i"invalid input" response.
I disabled inspect http and it seems to have helped.
Still looking at the interface errors.
02-26-2010 12:44 PM
Good. Glad to hear.
-KS
03-01-2010 01:03 AM
Boss, sometimes the invalid dns entry configured in the client's PC may cause.
Identify, if the problem is with one user and all the users.
Try to check the dns server ip address configured.
disabling the http inspection is vulnerable.
regards,
ssoc support
03-01-2010 05:48 AM
So what would be the danger of leaving "inpect http" disabled?
03-01-2010 06:44 AM
Did you read the link that I posted earlier?
You can read about inspect http here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782
That will tell you what inspect http does.
So, you can understand what it is when you don't have it enabled.
-KS
03-01-2010 07:18 AM
Hi Kusankar, I read the link you provided. From what I understand inspect http will be enabled in the background if url-server is configured, even if the inspect http is removed.
We do not filter all of our IP address with the "filter url http" command, just our problem areas.
03-01-2010 10:01 AM
Yes, since you mentioned that you have a filter not to do filtering for this website and it still sees latency - meaning you were inspected by the explicit inspection configured under the policy-map and not on the back ground one that url-server does automatically.
Something in the http inspection and this website doesn't agree with each other. If you would like to get to the bottom of it, pls. open a TAC case and investigate it further as captures, debugs and syslogs will have to be collected and analyzed.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide