Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
4
Replies

Firewall Service Degradation

kashif.noor
Level 1
Level 1

‎11-17-2013 10:20 PM - edited ‎03-11-2019 08:06 PM

Dear Support ,

we have observed an issue of ASA 5585 Firewall service degradation in production Network,

TOPOLOGY:

We have following topology design:

Inside: Vlan 300(Server Vlan)

Portchannel Subinterface IP is 172.16.0.2 255.255.255.0....(All Server Gateway IP)

Outside: Vlan301 (User Vlan)

PortChannel Subinterface IP is 10.100.3.254....(All User Gateway IP)

Outside1: for Internet Access

Now on this firewall all user and server is allowed to access the internet (router 3945) also which is connected to firewall.

All user is allowed to access the server where all application is working.

we have created the port channel of Gig0/6 and Gig0/7 where all this vlan are configured.

ISSUE:

In Office working time where most of the users (250) are connecting and the gateway of all user is (10.100.3.254). Facing ping delay issue  and request timeout issue and unable to access the internet and application server.

During troubleshooting when we restart the Firewall all service become normal and ping repsonse is become 1ms....then all things working fine.

Identify the Problem(RCA):

we need to problem where it is exist and why issue happaning after 1 week or 10 days.please advise about any Firewall troubleshooting guide to fix this issue.

Labels:
Preview file
64 KB
0 Helpful
4 Replies 4

jumora
Level 7
Level 7

‎11-18-2013 08:50 PM

Setup netflow collector with Cisco switches or ASA to monitor your normal traffic flows and pick hours and look at the services and sources that are top talkers on the network.

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7

‎11-20-2013 07:11 AM

You need to know how much traffic and what type of traffic goes through your firewall to understand what could be causing latency. You also need to check basic things like interfaces.

If you have Cisco switches you can configure Netflow to collect all this information if you do not you can configure netflow on the ASA but it has its limitations regarding not giving out real time statistics based on the fact that it needs the connection to be built and when it is teardown it gives out info to build a report.

Netflow on ASA

https://supportforums.cisco.com/docs/DOC-6113

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7

‎11-20-2013 07:13 AM

This video is really nice:

http://media.plixer.com/screencasts/ciscoAsaConfigurationUsingAsdm/ciscoAsaConfigurationUsingAsdm.html

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎11-20-2013 07:15 AM

Or you can enable threat-detection that gives you real time stats but that it is CPU intensive.

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card