Hi,

No performance issues.

Only around 15 users but I have also tested on Sunday around 3am when I know nobody is around and still very slow.

Thanks.

S.

Stephen,

You said that you have other ASAs on other sites with the same exact configuration?

I just want to make sure that you're not doing HTTP inspection or you have any modification to the inspection/logging policies that can be delaying the traffic.

Do you have pretty much the basic configuration or  something else is going on?

Question.. if you reboot the ASA as soon as it starts do you get impacted by the performance, or this happens after a while?

Federico.

Federico,

I don't believe that I have http inspection or logging but not sure how to tell.

Would it be something like "inspect http" ?

If so, then certainly no.

I have checked the config line by line with others and all seems the same.

The OS versions and ASDM are the same.

Memory the same and flash.

MTU sizes the same.

This particular firewall won't test over 1Mbps.

Driving me crazy.

Thanks for trying to help.

S.

Would you be able to post the configuration?

You can remove sensitive information such as public IP addresses and users.

Federico.

Federico,

Please find below the config with details removed.

**************************

hostname asa

domain-name xxxx.local

enable password xxxx

passwd xxxx

names

name 192.168.0.0 xxx-LAN

name 192.168.0.1 SERVER

name 192.168.0.2 MAILSERVER

name 192.168.0.254 INSIDE-IP

name 1.2.3.4 ROUTER

name 1.2.3.4 SMTPFEED

name 1.2.3.4 OUTSIDE-IP

name 192.168.200.0 xxx-VPN

name 1.2.3.4 xxxx

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address INSIDE-IP 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address OUTSIDE-IP 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name xxxx.local

access-list nonat extended permit ip xxx-LAN 255.255.255.0 xxx-VPN 255.255.255.0

access-list outside extended permit tcp any host SMTPFEED eq smtp

access-list outside extended permit tcp any host SMTPFEED eq https

access-list outside extended permit tcp any host SMTPFEED eq www

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool xxx-VPN-POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 xxx-LAN 255.255.255.0

static (inside,outside) tcp SMTPFEED smtp MAILSERVER smtp netmask 255.255.255.255

static (inside,outside) tcp SMTPFEED https MAILSERVER https netmask 255.255.255.255

static (inside,outside) tcp SMTPFEED www MAILSERVER www netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 ROUTER 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host SERVER

key *****

http server enable

http xxxx 255.255.255.255 outside

http xxx-LAN 255.255.255.0 inside

http xxx-VPN 255.255.255.0 inside

http xxx-VPN 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Strong esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Remote 10 set transform-set Strong

crypto dynamic-map Remote 10 set security-association lifetime seconds 28800

crypto dynamic-map Remote 10 set security-association lifetime kilobytes 4608000

crypto map VPN-Map 100 ipsec-isakmp dynamic Remote

crypto map VPN-Map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 21

telnet timeout 5

ssh xxx-LAN 255.255.255.0 inside

ssh xxx-VPN 255.255.255.0 inside

ssh xxxx 255.255.255.255 outside

ssh xxx-VPN 255.255.255.0 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy Remote-VPN internal

group-policy Remote-VPN attributes

wins-server value 192.168.0.1

dns-server value 192.168.0.1

default-domain value xxxx.local

split-dns value xxxx.local

username xyz password xxxx

tunnel-group remoteusers type remote-access

tunnel-group remoteusers general-attributes

address-pool (outside) xxx-VPN-POOL

authentication-server-group (outside) vpn

default-group-policy Remote-VPN

tunnel-group remoteusers ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

I was going to suggest to lower the inactive timeouts for the translations and connections and remove all the unneeded configuration,
just to check if it makes any difference...
However if you say that the problem exists, even when there are no users behind the ASA sending traffic, I think you rather open a TAC case.
And if you can keep us posted, I'll appreciate it ;-)

I had experience slowliness through ASAs, but normally has something to do with the configuration and the amount of traffic ( I don't see this been the case here).

Federico.

Hi Federico,

I figured opening a case may be best.

I just ran a "Sh int e/01" command and noticed a lot of CRC errors, see below.

****************

Result of the command: "sh int e0/0"

Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0026.cbf7.94d2, MTU not set
IP address unassigned
405856 packets input, 413509356 bytes, 0 no buffer
Received 2654 broadcasts, 0 runts, 0 giants
65815 input errors, 4560 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2169 switch ingress policy drops
372629 packets output, 69243926 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops

Interesting...

You have E0/0 connected to the DSL router directly with a straight-through cable?

I bet you're not getting those CRC errors on the other locations?

Federico.

Straight through cable I believe but may need to check tomorrow.

The other interface only has one or two CRC errors.

I may swap the cable that links the ASA to the DSL modem.

Thanks.

S.

Thanks to all who replied.

This was down to a faulty router in the end.

S.