cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5841
Views
0
Helpful
12
Replies

ASA 5512 - slow RDP over VPN and slow https via the outside interface

Hey all,

got the following problem:

We got a new ASA 5512 (9.1(2)). Since using the new ASA RDP over VPN is slow as hell. Furthermore we are hosting services for our customers at our local site. The customers access their servies via https and they report slow connections as well.

What I could determine:

- RAM and CPU usage is OK

- Internet connection is not working to capacity

- Accessed servers are fine

With our old PIX we didn't have these problems.

What can I do to narrow the things down? Do you need further information?

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Hi,

Theres a problem with your "outside" interface.

  Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)

Its on Auto/Auto settings and has negotiated 10Mbps/Half Duplex

Check the connection/settings between ASA and the device connected to WAN.

- Jouni

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would go through the ASAs interfaces so that there is no errors and problems with Duplex.

If there is no problem with the actual physical interfaces then I guess you could capture traffic on either the hosts or on the ASA and go through the traffic capture to see if there is any clear indication of the cause of the problem.

If you are sending ASA logs to a Syslog server then I would also go through the syslogs to see if there is anything special related to these connections.

- Jouni

Are you using the cisco vpn client / anyconnect?

Keep in mind that you got two problem, could be related to duplex/speed mismatich like JouniForss is reffering to.

Hello Sander, Hello JouniForss,

thank your for your answers.

There should be no duplex/speed problems:

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)

        Input flow control is unsupported, output flow control is off

        Description: outside

        MAC address 7cad.746f.0643, MTU 1500

        IP address x.x.x.x, subnet mask 255.255.255.252

        44690985 packets input, 14246179318 bytes, 0 no buffer

        Received 24 broadcasts, 0 runts, 0 giants

        29 input errors, 0 CRC, 0 frame, 29 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        36677961 packets output, 30273069571 bytes, 688 underruns

        0 pause output, 0 resume output

        0 output errors, 762873 collisions, 1 interface resets

        3584466 late collisions, 3893361 deferred

        0 input reset drops, 0 output reset drops

        input queue (blocks free curr/low): hardware (493/415)

        output queue (blocks free curr/low): hardware (508/0)

  Traffic Statistics for "outside":

        44690833 packets input, 13414186271 bytes

        40263115 packets output, 34063912416 bytes

        1273840 packets dropped

      1 minute input rate 192 pkts/sec,  173728 bytes/sec

      1 minute output rate 128 pkts/sec,  65991 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 166 pkts/sec,  104644 bytes/sec

      5 minute output rate 140 pkts/sec,  97204 bytes/sec

      5 minute drop rate, 1 pkts/sec

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        Input flow control is unsupported, output flow control is off

        Description: inside

        MAC address 7cad.746f.0640, MTU 1500

        IP address 192.168.x.x, subnet mask 255.255.255.0

        273517054 packets input, 33507078716 bytes, 0 no buffer

        Received 1853084 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        505155136 packets output, 673862376054 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 1 interface resets

        0 late collisions, 0 deferred

        4 input reset drops, 0 output reset drops

        input queue (blocks free curr/low): hardware (462/414)

        output queue (blocks free curr/low): hardware (500/414)

  Traffic Statistics for "inside":

        273517049 packets input, 27143885172 bytes

        505155136 packets output, 664727704962 bytes

        384747 packets dropped

      1 minute input rate 47 pkts/sec,  11867 bytes/sec

      1 minute output rate 65 pkts/sec,  43224 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 91 pkts/sec,  28339 bytes/sec

      5 minute output rate 119 pkts/sec,  105353 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface GigabitEthernet0/2 "DMZ", is up, line protocol is up

  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

        Input flow control is unsupported, output flow control is off

        Description: DMZ

        MAC address 7cad.746f.0644, MTU 1500

        IP address 192.168.x.x, subnet mask 255.255.255.0

        526650415 packets input, 699849187640 bytes, 0 no buffer

        Received 218607 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        293676989 packets output, 36082728609 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 1 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        input queue (blocks free curr/low): hardware (476/432)

        output queue (blocks free curr/low): hardware (508/425)

  Traffic Statistics for "DMZ":

        523567643 packets input, 687409385731 bytes

        293676989 packets output, 29375410165 bytes

        5136626 packets dropped

      1 minute input rate 86 pkts/sec,  87216 bytes/sec

      1 minute output rate 76 pkts/sec,  7567 bytes/sec

      1 minute drop rate, 18 pkts/sec

      5 minute input rate 86 pkts/sec,  81140 bytes/sec

      5 minute output rate 75 pkts/sec,  6688 bytes/sec

      5 minute drop rate, 16 pkts/sec

I'm using the cisco vpn client (5.0.07)

Hi,

Theres a problem with your "outside" interface.

  Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)

Its on Auto/Auto settings and has negotiated 10Mbps/Half Duplex

Check the connection/settings between ASA and the device connected to WAN.

- Jouni

Hey JouniForss,

wow, I totally missed this :/

Should be enough to set this to full and 100 Mbps?

Hi,

Can you check/set the settings on the device connected to the "outside" port of the ASA also?

I guess it would be good to manually set the speed/duplex settings on the devices.

- Jouni

The other device is a router from our provider. It's not possible to see anything or to configure things on this device :/

I will try to set the duplex/speed settings manuall today in the evening and will report back tomorrow .

Thanks again to you both.

Hi,

Were you able to get this problem solved by changing the physical port settings?

- Jouni

Sorry for my late answer.

Indeed it's working fine now. Thanks for seeing my missed missconfiguration

Hi,

Good to hear its working now

- Jouni

Depends on your switch side. Please post the configuration

- show run interface fast 1/0/X

and the

- shwo interface fast 1/0/x

Hello, 

 

I have same problem after ASA 5585-X update (from version asa963-1-smp-k8.bin to asa982-smp-k8.bin). I`m tryed downgrade software and problem was disappeared. I think that the problem with inspections maps or something else…

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: