Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Poor throughput when using CX on ASA5525-X

We recently had a new WAN connection installed (1Gbps) and bought an ASA5525-X (9.1.2) to provide firewall and VPN services (1 L2L and a small number of remote users) to our site. Everything seemed to be working ok when initially installed but after we enabled the CX module (9.1.1) and started passing traffic to it transfer rates plummeted, especially when trying to upload videos to YouTube/Dropbox and files to servers in our DMZ.

As an example downloading the 1GB file from http://www.thinkbroadband.com/download/ over port 80 easily hits 50MB/s with CX turned off, with it on it struggles to hit 10MB/s.

We currently have 3 interfaces configured, Outside, Inside and DMZ all auto negotiating at 1000/Full all connected to the inside switch which is carved up into separate VLANs for the 3 segments. The ASAs inside interface is the network default gateway as we have no internal router and the switch sitting behind the firewall is an old Procurve 2848.


Service policy rules on the ASA are global inspection_default (HTTP turned off as per the CX guide) and interface inside matching any traffic and passing it to the CX module (tcp-state-bypass is currently checked temporarily which disables the CX checking to improve the speed while trying to solve the issue).

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 7379716, lock fail 0, drop 7057, reset-drop 0, v6-fail-close 0

      Inspect: h323 h225 _default_h323_map, packet 149394, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 287

      Inspect: h323 ras _default_h323_map, packet 1, lock fail 0, drop 1, reset-drop 0, v6-fail-close 0

      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: rtsp, packet 666152, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: sip , packet 146928, lock fail 0, drop 1, reset-drop 0, v6-fail-close 0

               tcp-proxy: bytes in buffer 0, bytes dropped 64156

      Inspect: netbios, packet 287828, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: tftp, packet 31782, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

      Inspect: ftp, packet 779064, lock fail 0, drop 0, reset-drop 0, v6-fail-close 0

Interface Inside:

  Service-policy: Inside-policy

    Class-map: Inside-class

      CXSC: card status Up, mode fail-open, auth-proxy disabled

        packet input 25573116, packet output 25039293, drop 0, reset-drop 0, proxied 0

      Set connection policy:         drop 0
      Set connection advanced-options: tcp-state-bypass

Is there something wrong with how I'm configuring the ASA in terms of the description above? Any help/pointers would be appreciated, Thanks.

Just to add - I've created an Etherchannel link for the Inside interface of 4x1Gb ports and it's made no improvement.

Everyone's tags (2)
193
Views
0
Helpful
0
Replies
CreatePlease to create content