cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27052
Views
0
Helpful
22
Replies

Very slow internet behind ASA5505

sonitadmin
Level 1
Level 1

Recently installed an ASA5505 for a client.  They have Verizon DSL (7mb down, 384up package).  So my config is Verizon (Westell) DSL modem connected to e0/0 (VLAN2) of ASA.  From there I have e0/1 (VLAN1) connected to a 3COM 2250 Plus 50 port switch.

Since installing the ASA client has been complaining of a major slow down in Internet speed.  Contacted ISP and they had me remove the firewall from the equation and hook modem directly to laptop.  With this setup I get between 6-7mb download speeds.  When I put the ASA back into the mix though, the speed drops significantly.  The speed will varry but 90% of the time they do not even get 1mb download speeds.

The configuration is pretty straight forward, not doing a whole lot with the box other then using it for VPN (IPSEC).

I'd really like some suggestions or ideas on what could be causing this or even where to start looking as I am not sure.

Thanks!

22 Replies 22

Kimberly Adams
Level 3
Level 3

My biggest issue with an ISP that has you remove all of the network and connect 1 pc directly to this cable/dsl modem is that is not a realistic test of how the Internet service will perform for the client with a network and users behind it.  But I digress and will assist with your question now and not complain about the ISP/Telcos....which most of us have pulled our hair out dealing with them!  LOL

I would connect into the ASA and run a show xlate and a show connection to see what the counts look like.  Also ask questions to the users, it is a specific time of day that it is slow or all times of the day?  Is their service a business dedicated grade or shared access on the ISP segment?  What are the physical interfaces of the ASA look like for speed and duplex settings?

The reason you want to look at the xlate and connection counts is there could be a virus, spyware, malware on the users PCs that could be slowing down the Internet connection.  Really pay attention to the duplex of the inside and outside interfaces of the ASA to make sure they are negotiating to full duplex to allow for good 2-way communication.

This is where I would start troubleshooting a performance issue like this.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Kimberly,

Thanks for taking the time to reply.

I ran the show xlate and it came back showing 94 in use, 444 most used.

I also ran the show conn and it came back with 113 in use, 244 most used.

Users have not really mentioned any time of day where they see a bigger problem.  I am on-site right now and an initial speed test first thing this morning shows 1.5mb down and 768 up.  Again, this should be a 7mb download package.  I was told by Verizon that this is business grade, but I'm not 100% sure of that.

As for the physical interfaces, I ran sh int commands for both of them and pasted below, both are set to auto for both duplex and speed.

clientasa# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6d, MTU not set
        IP address unassigned
        6181420 packets input, 3153357569 bytes, 0 no buffer
        Received 16232 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        9 switch ingress policy drops
        5503232 packets output, 2303937276 bytes, 0 underruns
        72 output errors, 57 collisions, 0 interface resets
        0 babbles, 0 late collisions, 152 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

clientasa# sh int e0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6e, MTU not set
        IP address unassigned
        6673355 packets input, 2393629616 bytes, 0 no buffer
        Received 770925 broadcasts, 0 runts, 0 giants
        9 input errors, 9 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1349 switch ingress policy drops
        6174969 packets output, 3145279599 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

I did notice on e0/1 there are some input and CRC errors, but I wasn't sure what those were exactly.  Any ideas?

The clients all have Trend Micro antivirus/antispyware running on them.  They have real time scanning enabled and there is a full system scan run once a week.  The Trend dashboard shows no signs of a virus on the network.  Not to say that there isn't something because I know Trend doesn't catch everything but I'm not sure this is the problem.

Any help you can give me on this would be appreciated.

Thanks!

If you are using PPPoE for the upstream ISP, check your MTU.You may need to lower the outside interface MTU to 1492 or lower depending upon your setup.

I have also come across a similar issue on the 5505 with certain versions of ASA software not handling PMTUD / fragmentation correctly which was fixed by a version upgrade.

Hi,

I have the very same problem today on a 5505 also.

When connected directly to the modem, I get 7.x Mbps.

I'm lucky if I get 0.8Mbps when through the firewall.

I'm using Cisco OS v8.2.2.

I have other circuits with other customers using the same firewall and same config and they get between 7 and 15 Mbps.

Any ideas or thoughts a great help.

Thanks.

S.

Hi,

I have same problem with Cisco ASA 5510 and version is 8.2(1)11.

i have 20 MB internet link. when connect laptop directly i got 20 mb upload and download speed but through ASA i got 19 mb download and 2-3 mb upload speed.

Can someone help for this issue ?

Thanks

Umang

Unfortunately I'm not using PPPoE, just a block of static IP's with one assigned to the outside interface and the rest all using NAT for SMTP, RPD and HTTPS to other machines.


Thanks!

Some of the CRC errors you are seeing could do with auto negotion of speed and duplex with your ISP edge device.  You may want to clear the counters on your ASA and monitor the errors but you can also adjust the MTU on the ASA.

Are you blocking any steaming sites for users like Internet Radio and such?  The user community could be sucking up a good deal of bandwidth by having Internet radio and streaming sites running all day long.

These are just some things to think about with performance issues.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Can you post your config? Take out your public addressing and such....

HTH,

John

HTH, John *** Please rate all useful posts ***

Sorry no response in a while, got really busy last week.  I've attached the ASA config.  Look it over and let me know if there is something glaringly wrong that could be causing this issue.  I don't see anything but another set of eyes always helps.

Thanks!

Hi,

I'm fairly certain that my problem is due to a dodgy ASA.

I have swapped out the ASA, using the same config, and the client now gets 7.x Mbps instead of 0.5Mbps.

There were a lot of CRC errors on the outside interface.

I'm doing a full reset on the faulty device now offsite to see if the errors persist.

Regards,

S.

Any chance that a software update could resolve this?  The ASA is currently running 7.2.4.  Just wondering if that is something I should look at.

7.2(4) is old and you might want to look at the 8.x train

I will upgrade the ASA either to 8.0(5) or 8.2(2)

An upgrade to 8.3(1) will require additional memory.

Take a look at the release notes:

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Federico.

Stepehen,

     CRC error and the like are usually due to a mismatch in speed/duplex. Can you check to see what the upstream device's link settings are? You want to ensure that they are either *both* hardcoded for 100MB/FULL or *both* set for AUTO/AUTO.

- Magnus

Just connected to Verizon DSL modem (Westell 6100) but I don't find anything on the modem about changing the speed/duplex.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: