04-28-2010 11:31 AM - edited 03-11-2019 10:38 AM
I have an ASA5510 pair runnnng 8.2.2 code. The problem I am facing is weird. The inspection rule on this box is at its default. Its giving very high latency to http requests. If the http request is made to the same webserver after VPN in via remote access VPN, things are streaming fast. That indicates that the problem is not on the server but something to do with the firewall.
NAT is one to one using static command.
Inbound http is permitted via ACL
Inspection rules are default global policy.
What could be wrong and where do I start the troubleshooting?
Thanks in advance,
Sam
04-28-2010 01:38 PM
Hi Sam,
Are you using any url filtering server (websense/N2H2)? Send me the following:
sh run filter
sh run pol
sh service-pol
Regards,
Ashu
04-28-2010 02:01 PM
No URL filtering at all. Very basic configuration. nothing fancy. Below is output of the commands you asked.
fw1(config)# sh run filter
fw1(config)# sh run pol
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ip-options
!
fw1(config)# sh service-pol
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 534328, drop 0, reset-drop 0
Inspect: ftp, packet 66, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 3, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 33038, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 1864, drop 0, reset-drop 0
Inspect: icmp error, packet 236, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
My NAT and ACL are like below.
static (inside,outside) x.x.x.x 192.168.1.16 netmask 255.255.255.255
access-list outside-in extended permit tcp any object-group web-servers object-group web-services
04-28-2010 02:11 PM
Hi,
So the server is hosted on the inside which we access from outside and there we face latency, right? Well, this part of the config seems ok and there is nothing as such which should bring in the latency. Can you get the output of "sh asp drop" and see if we get any packets dropped because they were "out-of-order"?
Regards,
Ashu
04-28-2010 02:14 PM
Yes. Webserver access from outside is the problem. Same web server works fine if same PC 1st dials in via VPN and then launches the browser to real addres.
Output of the command you requested.
fw1(config)# sh asp drop
Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 15
Invalid UDP Length (invalid-udp-length) 6
No valid adjacency (no-adjacency) 7815
No route to host (no-route) 100161
Flow is denied by configured rule (acl-drop) 4805154
Flow denied due to resource limitation (unable-to-create-flow) 154364
NAT-T keepalive message (natt-keepalive) 20
First TCP packet not SYN (tcp-not-syn) 678617
Bad TCP checksum (bad-tcp-cksum) 4
TCP failed 3 way handshake (tcp-3whs-failed) 29569
TCP RST/FIN out of order (tcp-rstfin-ooo) 24352
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 24
TCP packet SEQ past window (tcp-seq-past-win) 262
TCP invalid ACK (tcp-invalid-ack) 219
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 1
TCP RST/SYN in window (tcp-rst-syn-in-win) 1519
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 6
TCP packet failed PAWS test (tcp-paws-fail) 41406
Early security checks failed (security-failed) 2065
Slowpath security checks failed (sp-security-failed) 14160097
IP option drop (invalid-ip-option) 1076
Interface is down (interface-down) 171
Dropped pending packets in a closed socket (np-socket-closed) 25883
SVC Module does not have a session (mp-svc-no-session) 11
Last clearing: Never
Flow drop:
NAT failed (nat-failed) 724
Inspection failure (inspect-fail) 60
SSL handshake failed (ssl-handshake-failed) 237
SSL received close alert (ssl-received-close-alert) 207
SVC replacement connection established (svc-replacement-conn) 60
Last clearing: Never
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: