01-29-2012 01:56 AM - edited 03-11-2019 03:20 PM
hello;
excuse me ; i am not good in english but i would like to post in this forum our problem
I am new to the cisco asa;
we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion).
the problem is that the connexion internet is slow in the inside (lan).
our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex). the asa have base lisence.
here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.
firewall# show run
ASA Version 8.2(1)
!
hostname firewall
domain-name xxx.xx
enable password dgft12ghkHKM123Z encrypted
passwd dgft12ghkHKM123Z encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address X.X.X.35 255.255.255.224
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.20.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXX.XX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list aclin extended permit icmp any any
access-list aclin extended permit tcp any host X.X.X.59 eq www
access-list aclin extended permit tcp any host X.X.X.59 eq https
access-list aclin extended permit tcp any host X.X.X.58 eq 8080
access-list aclin extended permit tcp any host X.X.X.57 eq smtp
access-list aclin extended permit tcp any host X.X.X.57 eq www
access-list aclin extended permit tcp any host X.X.X.57 eq https
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 3 x.x.x.36
global (outside) 1 x.x.x.37
global (outside) 2 interface
nat (inside) 2 172.19.0 255.255.0.0
nat (inside) 3 172.18.0.0 255.255.0.0
nat (inside) 1 172.16.0.0 255.255.0.0
nat (inside) 3 172.17.0.0 255.255.0.0
static (dmz,outside) x.x.x.59 172.20.0.59 netmask 255.255.255.255 dns
static (dmz,outside) x.x.x.58 172.20.0.58 netmask 255.255.255.255 dns
static (dmz,outside) x.x.x.58 172.20.0.57 netmask 255.255.255.255 dns
static (outside,inside) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns
static (outside,dmz) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.252.0.0
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
route inside 172.16.0.0 255.252.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.17.0.7 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username asa-firewall password sghjGYTHklp123/2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:yyyyyyyyyyyyyyyyyyyyyyyyyyyyy
: end
firewall# show interface inside
Interface Ethernet0/0 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address yyyyyyyy, MTU 1500
IP address 172.16.0.1, subnet mask 255.255.255.0
70127665 packets input, 42192750649 bytes, 0 no buffer
Received 3 broadcasts, 0 runts, 0 giants
750 input errors, 0 CRC, 0 frame, 750 overrun, 0 ignored, 0 abort
0 L2 decode drops
51323158 packets output, 62965307006 bytes, 47 underruns
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "inside":
47862682 packets input, 10371897943 bytes
51323205 packets output, 62024509763 bytes
6234155 packets dropped
1 minute input rate 4662 pkts/sec, 404624 bytes/sec
1 minute output rate 4955 pkts/sec, 5594416 bytes/sec
1 minute drop rate, 33 pkts/sec
5 minute input rate 4755 pkts/sec, 413792 bytes/sec
5 minute output rate 5042 pkts/sec, 5643702 bytes/sec
5 minute drop rate, 34 pkts/sec
firewall# show interface outside
Interface Ethernet0/1 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address wwwwwwwwww, MTU 1500
IP address x.x.x.35, subnet mask 255.255.255.224
51502324 packets input, 63085165464 bytes, 0 no buffer
Received 4066 broadcasts, 0 runts, 0 giants
709 input errors, 0 CRC, 0 frame, 709 overrun, 0 ignored, 0 abort
0 L2 decode drops
64165663 packets output, 36014425132 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/66)
Traffic Statistics for "outside":
51481875 packets input, 62141029836 bytes
64165663 packets output, 34671300957 bytes
945530 packets dropped
1 minute input rate 5085 pkts/sec, 5612762 bytes/sec
1 minute output rate 4658 pkts/sec, 446820 bytes/sec
1 minute drop rate, 131 pkts/sec
5 minute input rate 5163 pkts/sec, 5661068 bytes/sec
5 minute output rate 4749 pkts/sec, 452024 bytes/sec
5 minute drop rate, 125 pkts/sec
firewall# show perfmon
PERFMON STATS: Current Average
Xlates 133/s 122/s
Connections 225/s 222/s
TCP Conns 112/s 99/s
UDP Conns 102/s 112/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 12/s 19/s
HTTP Fixup 0/s 0/s
FTP Fixup 2/s 1/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%
firewall# show asp drop
Frame drop:
Invalid IP header (invalid-ip-header) 4
Invalid UDP Length (invalid-udp-length) 2
No valid adjacency (no-adjacency) 4
Flow is denied by configured rule (acl-drop) 1469067
Flow denied due to resource limitation (unable-to-create-flow) 44
First TCP packet not SYN (tcp-not-syn) 80169
Bad TCP flags (bad-tcp-flags) 1647
TCP Dual open denied (tcp-dual-open) 13
TCP data send after FIN (tcp-data-past-fin) 4
TCP failed 3 way handshake (tcp-3whs-failed) 5328
TCP RST/FIN out of order (tcp-rstfin-ooo) 15946
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 942
TCP SYNACK on established conn (tcp-synack-ooo) 342
TCP packet SEQ past window (tcp-seq-past-win) 1719
TCP invalid ACK (tcp-invalid-ack) 439
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 1
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 396
TCP RST/SYN in window (tcp-rst-syn-in-win) 4226
TCP packet failed PAWS test (tcp-paws-fail) 917
Slowpath security checks failed (sp-security-failed) 7637
Expired flow (flow-expired) 1
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 137
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 20
DNS Inspect invalid packet (inspect-dns-invalid-pak) 805
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 45
DNS Inspect id not matched (inspect-dns-id-not-matched) 59760
Interface is down (interface-down) 5
RM connection limit reached (rm-conn-limit) 6115428
Dropped pending packets in a closed socket (np-socket-closed) 1
Last clearing: Never
Flow drop:
NAT failed (nat-failed) 19490
NAT reverse path failed (nat-rpf-failed) 131620
Inspection failure (inspect-fail) 23666
Last clearing: Never
i see overrun and underruns errors in both interfaces inside and outside. but no idea to resolve it. the internet connection has become very slow in the lan.
. Thanks in advance for your help.
01-29-2012 01:51 PM
Hello Chacha,
First of all here is a good explanation of what is happening here:
overrun | Description: The number of times the receiver hardware was unable to hand received data to a hardware buffer. Common Cause: The input rate of traffic exceeded the ability of the receiver to handle the data. |
underruns | Description: The number of times that the transmitter has been that run faster than the switch can handle. Common Causes: This can occur in a high throughput situation where an interface is hit with a high volume of bursty traffic from many other interfaces all at once. Interface resets can occur along with the underruns. |
So the problem it is behind the inside interface, as you can see from the DMZ you do not have the same issues, I would start hardcoding the duplex and speed on the ASA and internal switch, try that and let us know.
Regards,
Julio
02-12-2012 03:14 AM
hello,
thank you for the reply
I verified that both interfaces (inside of the asa and the interface of 6509 connected to the asa) have the same configuration for speed and duplex.
i had tried the both configuration (full duplex and speed 100 ) and (duplex auto and speed auto) but the underruns and overruns errors still appear.
the 6509 has only full and half duplex there is not duplex auto command so i had configured the duplex for full at the interface of the 6509 inftead of auto.
regards,
02-12-2012 05:47 PM
Hello Chacha,
Can you connect a PC directly to the ASA ( to a non-used port) without a switch so you can test the speed of the connection.
That would let you know the problem is not on the ASA or if the case Its the ASA but based on the information you just gave me do not think its an ASA issue!
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: