cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1533
Views
0
Helpful
4
Replies

ASA5510 - Poor http performance

smunzani
Level 1
Level 1

I have an ASA5510 pair runnnng 8.2.2 code. The problem I am facing is weird. The inspection rule on this box is at its default. Its giving very high latency to http requests. If the http request is made to the same webserver after VPN in via remote access VPN, things are streaming fast. That indicates that the problem is not on the server but something to do with the firewall.

NAT is one to one using static command.

Inbound http is permitted via ACL

Inspection rules are default global policy.

What could be wrong and where do I start the troubleshooting?

Thanks in advance,

Sam

4 Replies 4

astripat
Level 1
Level 1

Hi Sam,

Are you using any url filtering server (websense/N2H2)? Send me the following:

sh run filter

sh run pol

sh service-pol

Regards,

Ashu

No URL filtering at all. Very basic configuration. nothing fancy. Below is output of the commands you asked.

fw1(config)# sh run filter
fw1(config)# sh run pol
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect ip-options
!
fw1(config)# sh service-pol

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns migrated_dns_map_1, packet 534328, drop 0, reset-drop 0
      Inspect: ftp, packet 66, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 3, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 33038, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: icmp, packet 1864, drop 0, reset-drop 0
      Inspect: icmp error, packet 236, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0

My NAT and ACL are like below.

static (inside,outside) x.x.x.x 192.168.1.16 netmask 255.255.255.255

access-list outside-in extended permit tcp any object-group web-servers object-group web-services

Hi,

So the server is hosted on the inside which we access from outside and there we face latency, right? Well, this part of the config seems ok and there is nothing as such which should bring in the latency.  Can you get the output of "sh asp drop" and see if we get any packets dropped because they were "out-of-order"?

Regards,

Ashu

Yes. Webserver access from outside is the problem. Same web server works fine if same PC 1st dials in via VPN and then launches the browser to real addres.

Output of the command you requested.

fw1(config)# sh asp drop

Frame drop:
  Invalid TCP Length (invalid-tcp-hdr-length)                                 15
  Invalid UDP Length (invalid-udp-length)                                      6
  No valid adjacency (no-adjacency)                                         7815
  No route to host (no-route)                                             100161
  Flow is denied by configured rule (acl-drop)                           4805154
  Flow denied due to resource limitation (unable-to-create-flow)          154364
  NAT-T keepalive message (natt-keepalive)                                    20
  First TCP packet not SYN (tcp-not-syn)                                  678617
  Bad TCP checksum (bad-tcp-cksum)                                             4
  TCP failed 3 way handshake (tcp-3whs-failed)                             29569
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                24352
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            24
  TCP packet SEQ past window (tcp-seq-past-win)                              262
  TCP invalid ACK (tcp-invalid-ack)                                          219
  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                       1
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                1519
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)                   6
  TCP packet failed PAWS test (tcp-paws-fail)                              41406
  Early security checks failed (security-failed)                            2065
  Slowpath security checks failed (sp-security-failed)                  14160097
  IP option drop (invalid-ip-option)                                        1076
  Interface is down (interface-down)                                         171
  Dropped pending packets in a closed socket (np-socket-closed)            25883
  SVC Module does not have a session (mp-svc-no-session)                      11

Last clearing: Never

Flow drop:
  NAT failed (nat-failed)                                                    724
  Inspection failure (inspect-fail)                                           60
  SSL handshake failed (ssl-handshake-failed)                                237
  SSL received close alert (ssl-received-close-alert)                        207
  SVC replacement connection established (svc-replacement-conn)               60

Last clearing: Never

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: