Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Firewall Service Degradation

Dear Support ,

we have observed an issue of ASA 5585 Firewall service degradation in production Network,

TOPOLOGY:

We have following topology design:

Inside: Vlan 300(Server Vlan)

Portchannel Subinterface IP is 172.16.0.2 255.255.255.0....(All Server Gateway IP)

Outside: Vlan301 (User Vlan)

PortChannel Subinterface IP is 10.100.3.254....(All User Gateway IP)

Outside1: for Internet Access

Now on this firewall all user and server is allowed to access the internet (router 3945) also which is connected to firewall.

All user is allowed to access the server where all application is working.

we have created the port channel of Gig0/6 and Gig0/7 where all this vlan are configured.

ISSUE:

In Office working time where most of the users (250) are connecting and the gateway of all user is (10.100.3.254). Facing ping delay issue  and request timeout issue and unable to access the internet and application server.

During troubleshooting when we restart the Firewall all service become normal and ping repsonse is become 1ms....then all things working fine.

Identify the Problem(RCA):

we need to problem where it is exist and why issue happaning after 1 week or 10 days.please advise about any Firewall troubleshooting guide to fix this issue.

4 REPLIES
Silver

Firewall Service Degradation

Setup netflow collector with Cisco switches or ASA to monitor your normal traffic flows and pick hours and look at the services and sources that are top talkers on the network.

Value our effort and rate the assistance!
Silver

Firewall Service Degradation

You need to know how much traffic and what type of traffic goes through your firewall to understand what could be causing latency. You also need to check basic things like interfaces.

If you have Cisco switches you can configure Netflow to collect all this information if you do not you can configure netflow on the ASA but it has its limitations regarding not giving out real time statistics based on the fact that it needs the connection to be built and when it is teardown it gives out info to build a report.

Netflow on ASA

https://supportforums.cisco.com/docs/DOC-6113

Value our effort and rate the assistance!
Silver

Firewall Service Degradation

This video is really nice:

http://media.plixer.com/screencasts/ciscoAsaConfigurationUsingAsdm/ciscoAsaConfigurationUsingAsdm.html

Value our effort and rate the assistance!
Silver

Firewall Service Degradation

Or you can enable threat-detection that gives you real time stats but that it is CPU intensive.

Value our effort and rate the assistance!
159
Views
0
Helpful
4
Replies
CreatePlease to create content