cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1560
Views
0
Helpful
6
Replies

Slow performance on same subnet devices.

KeithN123
Level 1
Level 1

I recently installed a new ASA, connecting a 3750 switch to one of the interfaces.  The interface address of the firewall is for example, 192.168.1.1/26.

the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.

I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) -   I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the firewall interface?

thanks

Keith

1 Accepted Solution

Accepted Solutions

Ganesh Hariharan
VIP Alumni
VIP Alumni

I recently installed a new ASA, connecting a 3750 switch to one of the interfaces.  The interface address of the firewal is for example, 192.168.1.1/26.

the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.

I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) -   I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the forewall interface?

thanks

Keith

Hi Keith,

I think proxy arp feature is enabled in ASA as Proxy ARP allows the security appliance to reply to an ARP request             on behalf of hosts behind it. It does this by replying to ARP requests for the             static mapped addresses of those hosts. The security appliance responds to the             request with its own MAC address and then forwards the IP packets on to the             appropriate inside host.

Try with disabling the feature and see the performance

sysopt             noproxyarp (interface name)

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

6 Replies 6

Ganesh Hariharan
VIP Alumni
VIP Alumni

I recently installed a new ASA, connecting a 3750 switch to one of the interfaces.  The interface address of the firewal is for example, 192.168.1.1/26.

the switch has several servers on the same subnet, 192.168.1.0/26, yet when I try to connect across from one server to the other (doesn't matter what protocol) performance is so slow that it is almost unusable. Once the devices have connected everything works fine.

I have noticed that on occasion, if I check the arp cache on the switch the server may have taken the mac address of the firewall interface (proxy ?) -   I am confused as to why this should happen because in reality, the devices are on the same piece of wire - why would it even look at the forewall interface?

thanks

Keith

Hi Keith,

I think proxy arp feature is enabled in ASA as Proxy ARP allows the security appliance to reply to an ARP request             on behalf of hosts behind it. It does this by replying to ARP requests for the             static mapped addresses of those hosts. The security appliance responds to the             request with its own MAC address and then forwards the IP packets on to the             appropriate inside host.

Try with disabling the feature and see the performance

sysopt             noproxyarp (interface name)

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh,

I thought this might be the problem so I disabled proxy arp on the interface. This created more problems because I have NAT configured - as soon as I disabled the proxxy feature, my NAT configurations were broken.

thanks

Keith

Hi Ganesh

I have noticed on the 3750switch the following output if I deb ip routing static

Path = 2 3 5 7, route table no change, recursive flag clear

do you know what hte numbers are that follow the path statement ?

regards

Keith

Hi Ganesh

I have noticed on the 3750switch the following output if I deb ip routing static

Path = 2 3 5 7, route table no change, recursive flag clear

do you know what hte numbers are that follow the path statement ?

regards

Keith

Hi Keith,

Can you paste the output what you want to convey and proxy arp is configured in firewall so firewall will intercept the packet for every arp reply and check out the below link on proxy arp on firewall.

https://supportforums.cisco.com/docs/DOC-3155

Hope to Help !!

Ganesh.H

Ganesh - does this just relate to PIX ver 6.0? I am using an ASA5510 with ver 8.0(4)

does this still apply?

Ganesh - does this just relate to PIX ver 6.0? I am using an ASA5510 with ver 8.0(4)

does this still apply?

Keith,

Sorry that link is for Pix ver 6, but any how check out the below link for Troubleshoot Connectivity through the Cisco Security Appliance

http://72.163.4.161/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

Hope to Help !!

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: