Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cannot download from Internet through FWSM

I am running a pair of 6509's with 720 Supervisors and a pair of FWSM's in Active/Standby

In the last two weeks we have been unable to download successfully any files from the internet larger than about 5Mb

Web browsing is fine.

If I connect my laptop outside of the FWSM downloads work fine.

This is not affecting normal service and we are hosting many servers behind the FWSM without an issue.

But these servers are unable to download updates from the internet.

If we point to a proxy (Websense) which sits outside of the FWSM downloads work fine.

I have failed over the firewalls and rebooted both without any progress.

I have also tried the sysopt np completion-unit command without any success.

If I run a packet capture I am seeing a lot of out of order packets and TCP retransmissions, but this is also the same for a capture outside of the FWSM

I have a call running with TAC but just wondered if anyone has seen this kind of issue before, as it is becoming very difficult to poinpoint the cause.

 

Thanks

 

Roger

6 REPLIES
Community Member

I had this issue once on a

I had this issue once on a 2800 router acting as their firewall. The firewall is having trouble dealing with an excessive amount of fragmented packets. We tried upgrading, but it did not help. ISP said it was not on their side, but eventually the customer saw their truck down at the corner working on something, after that there were no more fragmented packets and no more downloading issues. So I would have a call with your ISP as well, unless you can download large files internally.

Community Member

It is not an ISP issue, if I

It is not an ISP issue, if I connect my laptop outside the FWSM or dirty to the ISP - downloads work fine.

It is only when we go inside the FWSM that they go so slow as they never complete.

Thanks for the reply, but I don't think it is an ISP issue.

Roger

Community Member

Yes, but you stated that the

Yes, but you stated that the packet capture outside the FWSM module also had the out of order packets and re-transmissions. You could possibly resolve the issue by changing something on the FWSM, but I think the root of you problem would not be solved.

I don't know of any commands that will help with fragmentation on the ASA so I won't be much help there.

Community Member

It is an interesting issue,

It is an interesting issue, the download suceeds outside the FWSM - I have contacted the ISP and they just say the link has been up for 36 weeks.

Not much help really

 

Roger

 

Community Member

Yeah they won't be, it was

Yeah they won't be, it was the same issue with me even when I provided them packet captures of my laptop directly connected to the modem with the out of order packets. I agree it is definitely something in the FWSM that is killing the download. When I had my laptop connected to the modem large downloads completed fine, but I was not being firewalled and windows was able to handle the fragmentation.

If TAC comes back with a command to help the issue I would be interested in knowing it.

Community Member

Hi, have you resolved the

Hi, 

have you resolved the issue yet ?

Are you running any url-server (websense etch..) in your setup ?

if so, are you able to download on different port than 80/443 ?

 

best regards.

 

Stefan

72
Views
0
Helpful
6
Replies
CreatePlease to create content