Internet Crawls When Using Cisco ASA 5505

Answered Question
May 18th, 2010


Have a very similar to someone else on here which also isn't resolved.

My customer's Internet crawls with a DL speed of around 0.6Mbps.

If I bypass the firewall and connect a laptop to the public interface on the DSL router, I get around 7.6Mbps.

This is the same whether there are other client's connected or not so certainly not an infected PC or a user with Bit Torrents.

I have the same ASA config and the same DSL router running on other sites with no problems.

Any diag help very welcome.

The MTU inside and outside is set to 1500, much like the others that work OK.



I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 5 years 9 months ago

Agree with tmcarter. Yes CRC errors need to be eliminated first.

You can refer this list and run through the check list:


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Federico Coto F... Tue, 05/18/2010 - 14:38


The ASA is not reporting any performance issues?  CPU or memory?

How many users behind the ASA?


stephenwilletts Tue, 05/18/2010 - 14:45


No performance issues.

Only around 15 users but I have also tested on Sunday around 3am when I know nobody is around and still very slow.



Federico Coto F... Tue, 05/18/2010 - 14:50


You said that you have other ASAs on other sites with the same exact configuration?

I just want to make sure that you're not doing HTTP inspection or you have any modification to the inspection/logging policies that can be delaying the traffic.

Do you have pretty much the basic configuration or  something else is going on?

Question.. if you reboot the ASA as soon as it starts do you get impacted by the performance, or this happens after a while?


stephenwilletts Tue, 05/18/2010 - 15:03


I don't believe that I have http inspection or logging but not sure how to tell.

Would it be something like "inspect http" ?

If so, then certainly no.

I have checked the config line by line with others and all seems the same.

The OS versions and ASDM are the same.

Memory the same and flash.

MTU sizes the same.

This particular firewall won't test over 1Mbps.

Driving me crazy.

Thanks for trying to help.


Federico Coto F... Tue, 05/18/2010 - 15:05

Would you be able to post the configuration?

You can remove sensitive information such as public IP addresses and users.


stephenwilletts Tue, 05/18/2010 - 15:16


Please find below the config with details removed.


hostname asa

domain-name xxxx.local

enable password xxxx

passwd xxxx


name xxx-LAN







name xxx-VPN

name xxxx



interface Vlan1

nameif inside

security-level 100

ip address INSIDE-IP


interface Vlan2

nameif outside

security-level 0

ip address OUTSIDE-IP


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name xxxx.local

access-list nonat extended permit ip xxx-LAN xxx-VPN

access-list outside extended permit tcp any host SMTPFEED eq smtp

access-list outside extended permit tcp any host SMTPFEED eq https

access-list outside extended permit tcp any host SMTPFEED eq www

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool xxx-VPN-POOL mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 xxx-LAN

static (inside,outside) tcp SMTPFEED smtp MAILSERVER smtp netmask

static (inside,outside) tcp SMTPFEED https MAILSERVER https netmask

static (inside,outside) tcp SMTPFEED www MAILSERVER www netmask

access-group outside in interface outside

route outside ROUTER 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host SERVER

key *****

http server enable

http xxxx outside

http xxx-LAN inside

http xxx-VPN inside

http xxx-VPN outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Strong esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Remote 10 set transform-set Strong

crypto dynamic-map Remote 10 set security-association lifetime seconds 28800

crypto dynamic-map Remote 10 set security-association lifetime kilobytes 4608000

crypto map VPN-Map 100 ipsec-isakmp dynamic Remote

crypto map VPN-Map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 21

telnet timeout 5

ssh xxx-LAN inside

ssh xxx-VPN inside

ssh xxxx outside

ssh xxx-VPN outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy Remote-VPN internal

group-policy Remote-VPN attributes

wins-server value

dns-server value

default-domain value xxxx.local

split-dns value xxxx.local

username xyz password xxxx

tunnel-group remoteusers type remote-access

tunnel-group remoteusers general-attributes

address-pool (outside) xxx-VPN-POOL

authentication-server-group (outside) vpn

default-group-policy Remote-VPN

tunnel-group remoteusers ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context


profile CiscoTAC-1

  no active

  destination address http

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Federico Coto F... Tue, 05/18/2010 - 15:29

I was going to suggest to lower the inactive timeouts for the translations and connections and remove all the unneeded configuration,
just to check if it makes any difference...
However if you say that the problem exists, even when there are no users behind the ASA sending traffic, I think you rather open a TAC case.
And if you can keep us posted, I'll appreciate it ;-)

I had experience slowliness through ASAs, but normally has something to do with the configuration and the amount of traffic ( I don't see this been the case here).


stephenwilletts Tue, 05/18/2010 - 15:36

Hi Federico,

I figured opening a case may be best.

I just ran a "Sh int e/01" command and noticed a lot of CRC errors, see below.


Result of the command: "sh int e0/0"

Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0026.cbf7.94d2, MTU not set
IP address unassigned
405856 packets input, 413509356 bytes, 0 no buffer
Received 2654 broadcasts, 0 runts, 0 giants
65815 input errors, 4560 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2169 switch ingress policy drops
372629 packets output, 69243926 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops

Federico Coto F... Tue, 05/18/2010 - 15:46


You have E0/0 connected to the DSL router directly with a straight-through cable?

I bet you're not getting those CRC errors on the other locations?


stephenwilletts Tue, 05/18/2010 - 15:54

Straight through cable I believe but may need to check tomorrow.

The other interface only has one or two CRC errors.

I may swap the cable that links the ASA to the DSL modem.



This problem is most likely attributed to a Speed / Duplex Mismatch.  On your ASA set the speed to fixed 100 and duplex to full; or whatever your connecting switch will TX/RX at with a fixed setting.

Do this for both the outside and inside interfaces, most importantly, the inside interfaces that connect to another switch.

For whatever reason, some Cisco devices don't do well with "Auto" negotiate on the interfaces, so it is my experience to hard code them.

Ty Carter, President

Strategic Network Consultants, Inc.

524 East 9th Street

Washington, NC  27889


This Discussion