slow internet connextion behind asa 5510 ios 8.2

chacha-micha · ‎01-29-2012

hello;

excuse me ; i am not good in english but i would like to post in this forum our problem

I am new to the cisco asa;

we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion).

the problem is that the connexion internet is slow in the inside (lan).

our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex). the asa have base lisence.

here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.

firewall# show run

ASA Version 8.2(1)

!

hostname firewall

domain-name xxx.xx

enable password dgft12ghkHKM123Z encrypted

passwd dgft12ghkHKM123Z encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address X.X.X.35 255.255.255.224

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name XXX.XX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list aclin extended permit icmp any any

access-list aclin extended permit tcp any host X.X.X.59 eq www

access-list aclin extended permit tcp any host X.X.X.59 eq https

access-list aclin extended permit tcp any host X.X.X.58 eq 8080

access-list aclin extended permit tcp any host X.X.X.57 eq smtp

access-list aclin extended permit tcp any host X.X.X.57 eq www

access-list aclin extended permit tcp any host X.X.X.57 eq https

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 3 x.x.x.36

global (outside) 1 x.x.x.37

global (outside) 2 interface

nat (inside) 2 172.19.0 255.255.0.0

nat (inside) 3 172.18.0.0 255.255.0.0

nat (inside) 1 172.16.0.0 255.255.0.0

nat (inside) 3 172.17.0.0 255.255.0.0

static (dmz,outside) x.x.x.59 172.20.0.59 netmask 255.255.255.255 dns

static (dmz,outside) x.x.x.58 172.20.0.58 netmask 255.255.255.255 dns

static (dmz,outside) x.x.x.58 172.20.0.57 netmask 255.255.255.255 dns

static (outside,inside) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns

static (outside,dmz) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.252.0.0

access-group aclin in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.33 1

route inside 172.16.0.0 255.252.0.0 172.16.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.17.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh 172.17.0.7 255.255.255.255 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username asa-firewall password sghjGYTHklp123/2 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

: end

firewall# show interface inside

Interface Ethernet0/0 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address yyyyyyyy, MTU 1500

IP address 172.16.0.1, subnet mask 255.255.255.0

70127665 packets input, 42192750649 bytes, 0 no buffer

Received 3 broadcasts, 0 runts, 0 giants

750 input errors, 0 CRC, 0 frame, 750 overrun, 0 ignored, 0 abort

0 L2 decode drops

51323158 packets output, 62965307006 bytes, 47 underruns

0 output errors, 0 collisions, 4 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/230)

output queue (blocks free curr/low): hardware (255/0)

Traffic Statistics for "inside":

47862682 packets input, 10371897943 bytes

51323205 packets output, 62024509763 bytes

6234155 packets dropped

1 minute input rate 4662 pkts/sec, 404624 bytes/sec

1 minute output rate 4955 pkts/sec, 5594416 bytes/sec

1 minute drop rate, 33 pkts/sec

5 minute input rate 4755 pkts/sec, 413792 bytes/sec

5 minute output rate 5042 pkts/sec, 5643702 bytes/sec

5 minute drop rate, 34 pkts/sec

firewall# show interface outside

Interface Ethernet0/1 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

MAC address wwwwwwwwww, MTU 1500

IP address x.x.x.35, subnet mask 255.255.255.224

51502324 packets input, 63085165464 bytes, 0 no buffer

Received 4066 broadcasts, 0 runts, 0 giants

709 input errors, 0 CRC, 0 frame, 709 overrun, 0 ignored, 0 abort

0 L2 decode drops

64165663 packets output, 36014425132 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/230)

output queue (blocks free curr/low): hardware (255/66)

Traffic Statistics for "outside":

51481875 packets input, 62141029836 bytes

64165663 packets output, 34671300957 bytes

945530 packets dropped

1 minute input rate 5085 pkts/sec, 5612762 bytes/sec

1 minute output rate 4658 pkts/sec, 446820 bytes/sec

1 minute drop rate, 131 pkts/sec

5 minute input rate 5163 pkts/sec, 5661068 bytes/sec

5 minute output rate 4749 pkts/sec, 452024 bytes/sec

5 minute drop rate, 125 pkts/sec

firewall# show perfmon

PERFMON STATS: Current Average

Xlates 133/s 122/s

Connections 225/s 222/s

TCP Conns 112/s 99/s

UDP Conns 102/s 112/s

URL Access 0/s 0/s

URL Server Req 0/s 0/s

TCP Fixup 0/s 0/s

TCP Intercept Established Conns 0/s 0/s

TCP Intercept Attempts 0/s 0/s

TCP Embryonic Conns Timeout 12/s 19/s

HTTP Fixup 0/s 0/s

FTP Fixup 2/s 1/s

AAA Authen 0/s 0/s

AAA Author 0/s 0/s

AAA Account 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT: Current Average

N/A 100.00%

firewall# show asp drop

Frame drop:

Invalid IP header (invalid-ip-header) 4

Invalid UDP Length (invalid-udp-length) 2

No valid adjacency (no-adjacency) 4

Flow is denied by configured rule (acl-drop) 1469067

Flow denied due to resource limitation (unable-to-create-flow) 44

First TCP packet not SYN (tcp-not-syn) 80169

Bad TCP flags (bad-tcp-flags) 1647

TCP Dual open denied (tcp-dual-open) 13

TCP data send after FIN (tcp-data-past-fin) 4

TCP failed 3 way handshake (tcp-3whs-failed) 5328

TCP RST/FIN out of order (tcp-rstfin-ooo) 15946

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 942

TCP SYNACK on established conn (tcp-synack-ooo) 342

TCP packet SEQ past window (tcp-seq-past-win) 1719

TCP invalid ACK (tcp-invalid-ack) 439

TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 1

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 396

TCP RST/SYN in window (tcp-rst-syn-in-win) 4226

TCP packet failed PAWS test (tcp-paws-fail) 917

Slowpath security checks failed (sp-security-failed) 7637

Expired flow (flow-expired) 1

ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 137

ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 20

DNS Inspect invalid packet (inspect-dns-invalid-pak) 805

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 45

DNS Inspect id not matched (inspect-dns-id-not-matched) 59760

Interface is down (interface-down) 5

RM connection limit reached (rm-conn-limit) 6115428

Dropped pending packets in a closed socket (np-socket-closed) 1

Last clearing: Never

Flow drop:

NAT failed (nat-failed) 19490

NAT reverse path failed (nat-rpf-failed) 131620

Inspection failure (inspect-fail) 23666

Last clearing: Never

i see overrun and underruns errors in both interfaces inside and outside. but no idea to resolve it. the internet connection has become very slow in the lan.

. Thanks in advance for your help.

Julio Carvajal · ‎01-29-2012

Hello Chacha,

First of all here is a good explanation of what is happening here:

overrun

Description: The number of times the receiver hardware was unable to hand received data to a hardware buffer.

Common Cause: The input rate of traffic exceeded the ability of the receiver to handle the data.

underruns

Description: The number of times that the transmitter has been that run faster than the switch can handle.

Common Causes: This can occur in a high throughput situation where an interface is hit with a high volume of bursty traffic from many other interfaces all at once. Interface resets can occur along with the underruns.

So the problem it is behind the inside interface, as you can see from the DMZ you do not have the same issues, I would start hardcoding the duplex and speed on the ASA and internal switch, try that and let us know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chacha-micha · ‎02-12-2012

hello,

thank you for the reply

I verified that both interfaces (inside of the asa and the interface of 6509 connected to the asa) have the same configuration for speed and duplex.

i had tried the both configuration (full duplex and speed 100 ) and (duplex auto and speed auto) but the underruns and overruns errors still appear.

the 6509 has only full and half duplex there is not duplex auto command so i had configured the duplex for full at the interface of the 6509 inftead of auto.

regards,

Julio Carvajal · ‎02-12-2012

Hello Chacha,

Can you connect a PC directly to the ASA ( to a non-used port) without a switch so you can test the speed of the connection.

That would let you know the problem is not on the ASA or if the case Its the ASA but based on the information you just gave me do not think its an ASA issue!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC