I've got an issue with a client of my running 7.2(2) on ASA5505. They use a business application called ESignal for some stock exchange analysis or whatever. The application doesn't work well after I installed and configured the ASA there. They experience unusually slow response (from 1 second before the ASA was used to 4-5 after that) and it seems that's a problem for them. Anyway, I made some research on the application and it seems it's using TCP (there's another one running on UDP...first I thought that UDP maybe the problem here but looks like it wasn't the right application...anyway) and a couple of ports have to be opened in outside direction:
I haven't filtered anything and as I'm using NAT from a lower to higher security interface this should not be a problem (anyway ESignal have a diagnostic tool which I asked my customer to run tonight and see if any issues like closed ports arise). Besides that they have about 10-15 PCs running this application and as far as I remember it opens lots of small windows having constantly refreshing their information which means LOTS of simultaneous TCP sessions in my opinion. I'm sending you the configuration of the ASA (I've replaced sensitive output with xxx), please take a look if you find something wrong here. I've turned off the inspection engine, removed all the ACLs (same story with ACLs in all directions permitting everything), increased the timeouts (the conn timeout should be used for TCP, right?), anything that came to my mind and still no result. I'm not really willing to do reverse engineering of the application as I still got no response from the ESignal support team so I'm trying to find out what the problem is from here. Will appreciate any help!
Do you mean enabling "debug asdm history 255" or what? How would it help?
My personal experience with ASA shows that besides vpn-specific debug like debug crypto bla-bla the only useful debug command is debug generic 255. I have it enabled - nothing suspicious. Only messages like this:
Oct 26 2007 18:19:48: %ASA-6-305012: Teardown dynamic TCP translation from inside:xxx/2291 to outside:yyy/11560 duration 0:02:30
The system log guide says:
Explanation The address translation slot was deleted.
So that's not the problem definitely.
Memory and CPU utilization are fine, simultaneous connections are no more than 2 or 3 per second so it's not that. A useful command I just saw gives the following output though:
show asp drop
Invalid encapsulation 15646
No route to host 2
Reverse-path verify failed 1
Flow is denied by configured rule 9772
First TCP packet not SYN 50
TCP data exceeded MSS 27
TCP failed 3 way handshake 16
TCP packet SEQ past window 24
TCP DUP and has been ACKed 15382
Slowpath security checks failed 552
FP L2 rule drop 1817
Interface is down 3
Non-IP packet received in routed mode 1
The invalid encapsulation and TCP DUP and has been ACKed fields are constantly increasing. Any idea about the possible reasons for that? The first one I have a pretty good feeling where comes from but the second one bothers me pretty much.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...