I have an ASA5510 pair runnnng 8.2.2 code. The problem I am facing is weird. The inspection rule on this box is at its default. Its giving very high latency to http requests. If the http request is made to the same webserver after VPN in via remote access VPN, things are streaming fast. That indicates that the problem is not on the server but something to do with the firewall.
NAT is one to one using static command.
Inbound http is permitted via ACL
Inspection rules are default global policy.
What could be wrong and where do I start the troubleshooting?
So the server is hosted on the inside which we access from outside and there we face latency, right? Well, this part of the config seems ok and there is nothing as such which should bring in the latency. Can you get the output of "sh asp drop" and see if we get any packets dropped because they were "out-of-order"?
Yes. Webserver access from outside is the problem. Same web server works fine if same PC 1st dials in via VPN and then launches the browser to real addres.
Output of the command you requested.
fw1(config)# sh asp drop
Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 15 Invalid UDP Length (invalid-udp-length) 6 No valid adjacency (no-adjacency) 7815 No route to host (no-route) 100161 Flow is denied by configured rule (acl-drop) 4805154 Flow denied due to resource limitation (unable-to-create-flow) 154364 NAT-T keepalive message (natt-keepalive) 20 First TCP packet not SYN (tcp-not-syn) 678617 Bad TCP checksum (bad-tcp-cksum) 4 TCP failed 3 way handshake (tcp-3whs-failed) 29569 TCP RST/FIN out of order (tcp-rstfin-ooo) 24352 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 24 TCP packet SEQ past window (tcp-seq-past-win) 262 TCP invalid ACK (tcp-invalid-ack) 219 TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 1 TCP RST/SYN in window (tcp-rst-syn-in-win) 1519 TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 6 TCP packet failed PAWS test (tcp-paws-fail) 41406 Early security checks failed (security-failed) 2065 Slowpath security checks failed (sp-security-failed) 14160097 IP option drop (invalid-ip-option) 1076 Interface is down (interface-down) 171 Dropped pending packets in a closed socket (np-socket-closed) 25883 SVC Module does not have a session (mp-svc-no-session) 11
Last clearing: Never
Flow drop: NAT failed (nat-failed) 724 Inspection failure (inspect-fail) 60 SSL handshake failed (ssl-handshake-failed) 237 SSL received close alert (ssl-received-close-alert) 207 SVC replacement connection established (svc-replacement-conn) 60
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :