Re: ASA 5510 - strange three way handshakes - Page 2

IgorHamzic · ‎06-18-2008

Hi all. We have a following situation happening on the DMZ of our ASA 5510.We first caught the problem when one of the users notified us that transfer of files from a server in the DMZ starts OK but slows down to a crawl.We have tested the claim and have found that the same thing happening.Sometimes the transfer goes OK,sometimes it goes to a crawl(beneath 40k) and sometimes it slows down a bit but finishes in time.This mostly happens with large files.

We have further viewed the tcp dump from both sides(from the server side on the DMZ and from a host just before the ASA).Sometimes we see on the server side ACK's that come in triplicates and that server side seems to send packets in a random order.The problem only happens on the server side as the tcp dump from the host side seems OK.

We believe the problem is ASA related but we don't know what could be causing it.Any ideas?

IgorHamzic · ‎06-23-2008

I was asking because later if the problem is solved I will have to modify the access list to apply the changes to other ranges,VPN clients and so on.

IgorHamzic · ‎06-23-2008

Just tested the configuration with our server admin and we haven't seen an improvement.The transfer seems a bit more dynamic(we see a good transfer speed then it drops to some silly values then rises and so on) but there still a lot of speed drops with speeds beneath 10kbits.

Also I didn't see the option under tcp-map for invalid-ack allow and ASA won't accept the command.

Farrukh Haroon · ‎06-23-2008

This command was introduced in 7.2(4).

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1734057

Regards

Farrukh

IgorHamzic · ‎06-23-2008

I have version 8.0(3) on my ASA and I don't see it it the command reference for the 8.0 version on the Cisco site.