05-18-2010 02:33 PM - edited 03-11-2019 10:47 AM
Hi,
Have a very similar to someone else on here which also isn't resolved.
My customer's Internet crawls with a DL speed of around 0.6Mbps.
If I bypass the firewall and connect a laptop to the public interface on the DSL router, I get around 7.6Mbps.
This is the same whether there are other client's connected or not so certainly not an infected PC or a user with Bit Torrents.
I have the same ASA config and the same DSL router running on other sites with no problems.
Any diag help very welcome.
The MTU inside and outside is set to 1500, much like the others that work OK.
Thanks.
S.
Solved! Go to Solution.
12-30-2010 02:50 PM
Agree with tmcarter. Yes CRC errors need to be eliminated first.
You can refer this list and run through the check list: https://supportforums.cisco.com/docs/DOC-8982
-KS
05-18-2010 02:38 PM
Stephen,
The ASA is not reporting any performance issues? CPU or memory?
How many users behind the ASA?
Federico.
05-18-2010 02:45 PM
Hi,
No performance issues.
Only around 15 users but I have also tested on Sunday around 3am when I know nobody is around and still very slow.
Thanks.
S.
05-18-2010 02:50 PM
Stephen,
You said that you have other ASAs on other sites with the same exact configuration?
I just want to make sure that you're not doing HTTP inspection or you have any modification to the inspection/logging policies that can be delaying the traffic.
Do you have pretty much the basic configuration or something else is going on?
Question.. if you reboot the ASA as soon as it starts do you get impacted by the performance, or this happens after a while?
Federico.
05-18-2010 03:03 PM
Federico,
I don't believe that I have http inspection or logging but not sure how to tell.
Would it be something like "inspect http" ?
If so, then certainly no.
I have checked the config line by line with others and all seems the same.
The OS versions and ASDM are the same.
Memory the same and flash.
MTU sizes the same.
This particular firewall won't test over 1Mbps.
Driving me crazy.
Thanks for trying to help.
S.
05-18-2010 03:05 PM
Would you be able to post the configuration?
You can remove sensitive information such as public IP addresses and users.
Federico.
05-18-2010 03:16 PM
Federico,
Please find below the config with details removed.
**************************
hostname asa
domain-name xxxx.local
enable password xxxx
passwd xxxx
names
name 192.168.0.0 xxx-LAN
name 192.168.0.1 SERVER
name 192.168.0.2 MAILSERVER
name 192.168.0.254 INSIDE-IP
name 1.2.3.4 ROUTER
name 1.2.3.4 SMTPFEED
name 1.2.3.4 OUTSIDE-IP
name 192.168.200.0 xxx-VPN
name 1.2.3.4 xxxx
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address INSIDE-IP 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address OUTSIDE-IP 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxx.local
access-list nonat extended permit ip xxx-LAN 255.255.255.0 xxx-VPN 255.255.255.0
access-list outside extended permit tcp any host SMTPFEED eq smtp
access-list outside extended permit tcp any host SMTPFEED eq https
access-list outside extended permit tcp any host SMTPFEED eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool xxx-VPN-POOL 192.168.200.1-192.168.200.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 xxx-LAN 255.255.255.0
static (inside,outside) tcp SMTPFEED smtp MAILSERVER smtp netmask 255.255.255.255
static (inside,outside) tcp SMTPFEED https MAILSERVER https netmask 255.255.255.255
static (inside,outside) tcp SMTPFEED www MAILSERVER www netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 ROUTER 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host SERVER
key *****
http server enable
http xxxx 255.255.255.255 outside
http xxx-LAN 255.255.255.0 inside
http xxx-VPN 255.255.255.0 inside
http xxx-VPN 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Strong esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Remote 10 set transform-set Strong
crypto dynamic-map Remote 10 set security-association lifetime seconds 28800
crypto dynamic-map Remote 10 set security-association lifetime kilobytes 4608000
crypto map VPN-Map 100 ipsec-isakmp dynamic Remote
crypto map VPN-Map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
ssh xxx-LAN 255.255.255.0 inside
ssh xxx-VPN 255.255.255.0 inside
ssh xxxx 255.255.255.255 outside
ssh xxx-VPN 255.255.255.0 outside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.1
default-domain value xxxx.local
split-dns value xxxx.local
username xyz password xxxx
tunnel-group remoteusers type remote-access
tunnel-group remoteusers general-attributes
address-pool (outside) xxx-VPN-POOL
authentication-server-group (outside) vpn
default-group-policy Remote-VPN
tunnel-group remoteusers ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
05-18-2010 03:29 PM
I was going to suggest to lower the inactive timeouts for the translations and connections and remove all the unneeded configuration,
just to check if it makes any difference...
However if you say that the problem exists, even when there are no users behind the ASA sending traffic, I think you rather open a TAC case.
And if you can keep us posted, I'll appreciate it ;-)
I had experience slowliness through ASAs, but normally has something to do with the configuration and the amount of traffic ( I don't see this been the case here).
Federico.
05-18-2010 03:36 PM
Hi Federico,
I figured opening a case may be best.
I just ran a "Sh int e/01" command and noticed a lot of CRC errors, see below.
****************
Result of the command: "sh int e0/0"
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0026.cbf7.94d2, MTU not set
IP address unassigned
405856 packets input, 413509356 bytes, 0 no buffer
Received 2654 broadcasts, 0 runts, 0 giants
65815 input errors, 4560 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2169 switch ingress policy drops
372629 packets output, 69243926 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
05-18-2010 03:46 PM
Interesting...
You have E0/0 connected to the DSL router directly with a straight-through cable?
I bet you're not getting those CRC errors on the other locations?
Federico.
05-18-2010 03:54 PM
Straight through cable I believe but may need to check tomorrow.
The other interface only has one or two CRC errors.
I may swap the cable that links the ASA to the DSL modem.
Thanks.
S.
12-30-2010 07:09 AM
This problem is most likely attributed to a Speed / Duplex Mismatch. On your ASA set the speed to fixed 100 and duplex to full; or whatever your connecting switch will TX/RX at with a fixed setting.
Do this for both the outside and inside interfaces, most importantly, the inside interfaces that connect to another switch.
For whatever reason, some Cisco devices don't do well with "Auto" negotiate on the interfaces, so it is my experience to hard code them.
Ty Carter, President
Strategic Network Consultants, Inc.
524 East 9th Street
Washington, NC 27889
12-30-2010 02:50 PM
Agree with tmcarter. Yes CRC errors need to be eliminated first.
You can refer this list and run through the check list: https://supportforums.cisco.com/docs/DOC-8982
-KS
12-30-2010 03:17 PM
Thanks to all who replied.
This was down to a faulty router in the end.
S.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: