Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
0
Helpful
3
Replies

ASA 5505 Download speed throughput very slow with new modem

HutchClSCO
Level 1
Level 1

‎03-13-2014 07:41 PM - edited ‎03-11-2019 08:56 PM

I received a new modem today to upgrade my speeds with my ISP. The modem is a Hitron CGNDM. Once I had this new modem plugged in I had the ISP put the modem in bridge-mode disabling the NATing/any fancy functionality and performed a speed test. I was then receiving 25mbps down and 20mbps up. With my older modem I was receiving 90mbps down and 10 mbps up. The plan I subscribe to was 150/10 and should now be 250/20. 

Summary:

Previous Setup: Same ASA connected via same interface (same cable) to old modem with 150/10 plan received 90/10 on average

New Setup: Same ASA connected via same interface (same cable) to new modem with 250/20 plan receives 25/20 on average

Now heres where it gets interesting:

If I plug my laptop directly into the modem I get the old (expected) download rate (90) with my new upload (20) meaning it works flawlessly but I only receive 90 down due to over subscription. If I statically configure an IP on my laptop network card and plug directly into the inside interface of the ASA I receive 25/20 meaning it is 100% the ASA causing the issue. 

I have tried changing both manual and auto configurations of the duplex and speeds on the outside interface of the ASA with no luck. I've also attempted to change the MTU value of the outside interface but it does not seem to make a difference.

Here is my ASA configuration:

 

ASA Version 8.2(1) 
!
hostname FW
domain-name default.domain.invalid
enable password x encrypted
passwd x encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan100
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan101
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 100
!
interface Ethernet0/1
 switchport access vlan 101
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service portforward tcp-udp
 port-object eq 1720
 port-object eq www
 port-object eq 443
 port-object eq 59835
 port-object eq 3074
 port-object eq domain
 port-object eq 88
 port-object eq 1119
 port-object range 6881 6999
 port-object eq 64738
 port-object eq 21025
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list nonat extended permit ip any 10.0.0.0 255.255.255.0 
access-list split standard permit 10.10.10.0 255.255.255.0 
access-list portforward extended permit tcp any any object-group portforward 
access-list portforward extended permit udp any any object-group portforward 
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1492
mtu inside 1500
ip local pool SSLClientPool 10.0.0.10-10.0.0.20 mask 255.255.255.0
ip local pool SSLClientPool2 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface h323 10.10.10.8 h323 netmask 255.255.255.255 
static (inside,outside) tcp interface 59835 10.10.10.2 59835 netmask 255.255.255.255 
static (inside,outside) tcp interface 3074 10.10.10.12 3074 netmask 255.255.255.255 
static (inside,outside) tcp interface 88 10.10.10.12 88 netmask 255.255.255.255 
static (inside,outside) udp interface 3074 10.10.10.12 3074 netmask 255.255.255.255 
static (inside,outside) udp interface 88 10.10.10.12 88 netmask 255.255.255.255 
static (inside,outside) udp interface domain 10.10.10.12 domain netmask 255.255.255.255 
static (inside,outside) tcp interface domain 10.10.10.12 domain netmask 255.255.255.255 
static (inside,outside) tcp interface www 10.10.10.12 www netmask 255.255.255.255 
static (inside,outside) tcp interface 64738 10.10.10.108 64738 netmask 255.255.255.255 
static (inside,outside) udp interface 64738 10.10.10.108 64738 netmask 255.255.255.255 
static (inside,outside) tcp interface 21025 10.10.10.8 21025 netmask 255.255.255.255 
access-group portforward in interface outside
route inside 10.10.10.0 255.255.255.0 10.0.0.1 1
route inside 20.20.20.0 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http 10.10.10.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.city17.com
 subject-name CN=sslvpn.city17.com
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain localtrust
 certificate d01f664a
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.3.2016-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value tsweb.local
 address-pools value SSLClientPool
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 

 

2 people had this problem
Labels:
0 Helpful
3 Replies 3

graham333
Level 1
Level 1

‎07-23-2014 12:30 PM

I am having the exact same problem - did you find a solution?

0 Helpful

lavance.davis
Level 1
Level 1

‎09-21-2014 01:28 PM

I have the same problem

0 Helpful

julianben
Level 1
Level 1

‎10-12-2014 11:09 PM

This is what worked for me.

Get a small Gig Switch and connect the ASA to the switch.  The modem looks for a Gig Interface so connect the modem to the switch

 

Modem- - - - -Gig Switch - - - ASA

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card