Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

slow internet connextion behind asa 5510 ios 8.2

hello;

excuse me ; i am not good in english but i would like to post in this forum our problem

I am new to the cisco asa; 

we have installed an asa 5510 with 3 interfaces : dmz (web server 172.20.0.59;application server 172.20.0.58; server mail 172.20.0.157), inside (lan) and outside (connected to a router for internet connexion).

the problem is that the connexion internet is slow in the inside (lan).

our dns is in the ouside with ip address x.x.x.60 ( the dns have translated addresse to inside and dmz 172.20.0.60). the router connected to our IPS have x.x.x.33 (our default gateway for internet). there is a simple switch between firewall and router. the inside interface of the asa is connected to catalyst cisco 6509 (the interface gigabit of the 6509 is configured to auto speed and duplex).  the asa have base lisence.

here is the configuration of the asa and the output of commandes show interfaces (inside, outside), show asp drop , show perform.

firewall# show run

ASA Version 8.2(1)

!

hostname firewall

domain-name xxx.xx

enable password dgft12ghkHKM123Z encrypted

passwd dgft12ghkHKM123Z encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address X.X.X.35 255.255.255.224

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.0.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name XXX.XX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list aclin extended permit icmp any any

access-list aclin extended permit tcp any host X.X.X.59 eq www

access-list aclin extended permit tcp any host X.X.X.59 eq https

access-list aclin extended permit tcp any host X.X.X.58 eq 8080

access-list aclin extended permit tcp any host X.X.X.57 eq smtp

access-list aclin extended permit tcp any host X.X.X.57 eq www

access-list aclin extended permit tcp any host X.X.X.57 eq https

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 3 x.x.x.36

global (outside) 1 x.x.x.37

global (outside) 2 interface

nat (inside) 2 172.19.0 255.255.0.0

nat (inside) 3 172.18.0.0 255.255.0.0

nat (inside) 1 172.16.0.0 255.255.0.0

nat (inside) 3 172.17.0.0 255.255.0.0

static (dmz,outside) x.x.x.59 172.20.0.59 netmask 255.255.255.255 dns

static (dmz,outside) x.x.x.58 172.20.0.58 netmask 255.255.255.255 dns

static (dmz,outside) x.x.x.58 172.20.0.57 netmask 255.255.255.255 dns

static (outside,inside) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns

static (outside,dmz) 172.20.0.60 x.x.x.60 netmask 255.255.255.255 dns

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.252.0.0

access-group aclin in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.33 1

route inside 172.16.0.0 255.252.0.0 172.16.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.17.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh 172.17.0.7 255.255.255.255 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username asa-firewall password sghjGYTHklp123/2 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

           : end

firewall# show interface inside

Interface Ethernet0/0 "inside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address yyyyyyyy, MTU 1500

    IP address 172.16.0.1, subnet mask 255.255.255.0

    70127665 packets input, 42192750649 bytes, 0 no buffer

    Received 3 broadcasts, 0 runts, 0 giants

    750 input errors, 0 CRC, 0 frame, 750 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    51323158 packets output, 62965307006 bytes, 47 underruns

    0 output errors, 0 collisions, 4 interface resets

    0 late collisions, 0 deferred

    0 input reset drops, 0 output reset drops, 0 tx hangs

    input queue (blocks free curr/low): hardware (255/230)

    output queue (blocks free curr/low): hardware (255/0)

  Traffic Statistics for "inside":

    47862682 packets input, 10371897943 bytes

    51323205 packets output, 62024509763 bytes

    6234155 packets dropped

      1 minute input rate 4662 pkts/sec,  404624 bytes/sec

      1 minute output rate 4955 pkts/sec,  5594416 bytes/sec

      1 minute drop rate, 33 pkts/sec

      5 minute input rate 4755 pkts/sec,  413792 bytes/sec

      5 minute output rate 5042 pkts/sec,  5643702 bytes/sec

      5 minute drop rate, 34 pkts/sec

firewall# show interface outside

Interface Ethernet0/1 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address wwwwwwwwww, MTU 1500

    IP address x.x.x.35, subnet mask 255.255.255.224

    51502324 packets input, 63085165464 bytes, 0 no buffer

    Received 4066 broadcasts, 0 runts, 0 giants

    709 input errors, 0 CRC, 0 frame, 709 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    64165663 packets output, 36014425132 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 late collisions, 0 deferred

    0 input reset drops, 0 output reset drops, 0 tx hangs

    input queue (blocks free curr/low): hardware (255/230)

    output queue (blocks free curr/low): hardware (255/66)

  Traffic Statistics for "outside":

    51481875 packets input, 62141029836 bytes

    64165663 packets output, 34671300957 bytes

    945530 packets dropped

      1 minute input rate 5085 pkts/sec,  5612762 bytes/sec

      1 minute output rate 4658 pkts/sec,  446820 bytes/sec

      1 minute drop rate, 131 pkts/sec

      5 minute input rate 5163 pkts/sec,  5661068 bytes/sec

      5 minute output rate 4749 pkts/sec,  452024 bytes/sec

      5 minute drop rate, 125 pkts/sec

firewall# show perfmon

PERFMON STATS:                     Current      Average

Xlates                              133/s        122/s

Connections                         225/s        222/s

TCP Conns                           112/s         99/s

UDP Conns                           102/s        112/s

URL Access                            0/s          0/s

URL Server Req                        0/s          0/s

TCP Fixup                             0/s          0/s

TCP Intercept Established Conns       0/s          0/s

TCP Intercept Attempts                0/s          0/s

TCP Embryonic Conns Timeout          12/s         19/s

HTTP Fixup                            0/s          0/s

FTP Fixup                             2/s          1/s

AAA Authen                            0/s          0/s

AAA Author                            0/s          0/s

AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average

                                       N/A         100.00%

firewall# show asp drop

Frame drop:

  Invalid IP header (invalid-ip-header)                                        4

  Invalid UDP Length (invalid-udp-length)                                      2

  No valid adjacency (no-adjacency)                                            4

  Flow is denied by configured rule (acl-drop)                           1469067

  Flow denied due to resource limitation (unable-to-create-flow)              44

  First TCP packet not SYN (tcp-not-syn)                                   80169

  Bad TCP flags (bad-tcp-flags)                                             1647

  TCP Dual open denied (tcp-dual-open)                                        13

  TCP data send after FIN (tcp-data-past-fin)                                  4

  TCP failed 3 way handshake (tcp-3whs-failed)                              5328

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                15946

  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                           942

  TCP SYNACK on established conn (tcp-synack-ooo)                            342

  TCP packet SEQ past window (tcp-seq-past-win)                             1719

  TCP invalid ACK (tcp-invalid-ack)                                          439

  TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                       1

  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)                396

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                4226

  TCP packet failed PAWS test (tcp-paws-fail)                                917

  Slowpath security checks failed (sp-security-failed)                      7637

  Expired flow (flow-expired)                                                  1

  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)        137

  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)    20

  DNS Inspect invalid packet (inspect-dns-invalid-pak)                       805

  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)         45

  DNS Inspect id not matched (inspect-dns-id-not-matched)                  59760

  Interface is down (interface-down)                                           5

  RM connection limit reached (rm-conn-limit)                            6115428

  Dropped pending packets in a closed socket (np-socket-closed)                1

Last clearing: Never

Flow drop:

  NAT failed (nat-failed)                                                  19490

  NAT reverse path failed (nat-rpf-failed)                                131620

  Inspection failure (inspect-fail)                                        23666

Last clearing: Never

i see overrun and underruns errors in both interfaces inside and outside.  but no idea to resolve it. the internet connection has become very slow in the lan.

. Thanks in advance for your help.

3 REPLIES

slow internet connextion behind asa 5510 ios 8.2

Hello Chacha,

First of all here is a good explanation of what is happening here:

overrun

Description: The number of times the receiver hardware was unable to hand received data to a hardware buffer.

Common Cause: The input rate of traffic exceeded the ability of the receiver to handle the data.

underruns

Description: The number of times that the transmitter has been that run faster than the switch can handle.

Common Causes: This  can occur in a high throughput situation where an interface is hit with  a high volume of bursty traffic from many other interfaces all at once. Interface resets can occur along with the underruns.

So the problem it is behind the inside interface, as you can see from the DMZ you do not have the same issues, I would start hardcoding the duplex and speed on the ASA and internal switch, try that and let us know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

slow internet connextion behind asa 5510 ios 8.2

hello,

thank you for the reply

I verified that both interfaces (inside of the asa and the interface of 6509 connected to the asa) have the same configuration for speed and duplex.

i had tried the both configuration (full duplex and speed 100 ) and (duplex auto and speed auto) but the underruns and overruns errors still appear.

the 6509 has only full and half duplex there is not duplex auto command so i had configured the duplex for full at the interface of the 6509 inftead of auto.

regards,

slow internet connextion behind asa 5510 ios 8.2

Hello Chacha,

Can you connect a PC directly to the ASA ( to a non-used port)  without a switch so you can test the speed of the connection.

That would let you know the problem is not on the ASA or if the case Its the ASA but based on the information you just gave me do not think its an ASA issue!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1995
Views
0
Helpful
3
Replies
CreatePlease to create content