Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

delayed http lookups on 5505


I have recently replaced a netgear firewall for an ASA5505. Below is my

config. My problem is that when I browse the web from my linux box,

anytime I hit a new site, it seems to take about 30 seconds to a minute

to do the lookup before I can actually get to the site. The DNS entries are

correct, so I don't really know why else it takes so long.

Anyone have ideas?

# sh run

: Saved


ASA Version 7.2(3)


hostname myhomenet

domain-name network.local

enable password xxx




interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd xxx

banner motd

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 73.x.x.205

name-server 68.x.x.98

domain-name network.local

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http INSIDE inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 10

ssh INSIDE inside

ssh timeout 10

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside




username winky password xxx

encrypted privilege 15

prompt hostname context


: end

New Member

Re: delayed http lookups on 5505

What happens if you use an IP address rather than a URL in the web browser?

New Member

Re: delayed http lookups on 5505

It's hard for me to say. When I put in the domain name, it always takes a while, but it seems 1 out of 5 tries using the ip address will load pretty quickly.

But for the most part, it takes just as long whether it's w/ a domain name or ip address.

New Member

Re: delayed http lookups on 5505



dns domain-lookup outside

no dns domain-lookup inside

tcp-map MYTCPMAP

exceed-mss allow

class-map global-class

match any

policy-map type inspect dns preset_dns_map


message-length maximum 2048

policy-map global_policy

class inspection_default

no inspect http

inspect dns preset_dns_map

class global-class

set connection advanced-options MYTCPMAP

New Member

Re: delayed http lookups on 5505

Well, I tried entering these commands and ran up against the following errors ...

winky(config)# dns domain-lookup outside

winky(config)# no dns domain-lookup inside

winky(config)# tcp-map MYTCPMAP

winky(config-tcp-map)# exceed-mss allow

winky(config-tcp-map)# class-map global-class

winky(config-cmap)# match any

winky(config-cmap)# policy-map type inspect dns preset_dns_map

winky(config-pmap)# parameters

winky(config-pmap-p)# message-length maximum 2048

winky(config-pmap-p)# policy-map global_policy

winky(config-pmap)# class inspection_default

ERROR: % class-map inspection_default not configured

winky(config-pmap)# no inspect http


ERROR: % Invalid input detected at '^' marker.

New Member

Re: delayed http lookups on 5505


thats the name of the Default Inspection on your ASA. Its a name. Prove your name with "sh run".

In old PIX Version was the command "inspect...".

kind Regards


CreatePlease to create content