Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Slow upload speeds to Internet via ASA 5520.

Hello,

I'm pretty sure this is a firewall issue, let me explain the issue I have.

Setup:

We have 2 ASA 5520's in Active/standby mode. The 'outside' port it connected to a VLAN on a 3750 switch where our 50mb lease line is (ISP Cisco router). The 'inside' of the ASA goes into another VLAN on the 3750 switch where our internal LAN switches are. On this 3750 switch there are various other VLANs that are sub-interfaces on the ASA via the trunk from the 3750 to ASA.

I've been running some speed test for our Internet lease line out of hours. It is a 50mb line and download speeds are around the 47mb mark which is fine.

I'm using http://speed.redstonemanaged.co.uk/ and http://www.speedtest.net/

Now the issue, the upload speeds are only ever 8-11mb and I have tried it on variuos different location on the internal LAN and get the same results.

If I go onto a server in a VLAN on the 3750 switch again I get the same issue, as the servers travel via the trunk to the ASA and out to the 'outside' interface to the VLAN where the Internet router is.

Now if I put a laptop directly into this outside VLAN on the 3750 where our 'outside' interface of the ASA is and ISP router then I get an upload of 47mb! I had to give the laptop a public IP and the gateway of the ISP router.

It just seems anything that has to pass through the firewall it has an slow issue transmitting/uploading data outbound to the Internet.

Our ASA also have the IPS module, I turned this off and it made little difference. To turn the module off (only way I know) is to use Cisco IPS Manager Express > confgiuration > Event Action Rules > Rules0 > disable event action. Also on the ASA usign the ASDM I went to Service Policy Rules and unticked the interfaces to monitor.

Can you thing of any other steps I can do? Is it a NAT/PAT issue? I am lost for ideas.

Thanks

19 REPLIES
New Member

Re: Slow upload speeds to Internet via ASA 5520.

I am getting the same issue with 5520's in active/standby running 8.2(1). 25Mbit dedicated link and get 20-27Mbit download and 8-11 upload.

New Member

Re: Slow upload speeds to Internet via ASA 5520.

If I run the tests infront of the ASA's then it is fine, could it be a bottleneck? I thought maybe it's badly configured rules or NAT's.

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

try bypassing the ips,that is do not send traffic to ips module.

it is done using commands within asa.

m not sure what ur config is/

please paste " sh run policy-map " command o/put.I'll get the speed up. :)

hTH

sUSHil

New Member

Re: Slow upload speeds to Internet via ASA 5520.

I did try bypassing the IPS already, but could be doig it wrong as the upload speed was still 10mb or so.

Here is my output:

sh run policy-map

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect pptp

inspect icmp

inspect icmp error

policy-map DMZ1Servers-policy

class DMZ1Servers-class1

ips inline fail-open sensor vs0

policy-map outside-policy

class outside-class

ips inline fail-open sensor vs0

policy-map DMZ6-policy

class DMZ6-class

ips inline fail-open sensor vs0

policy-map DMZ2-policy

class DMZ2-class

ips inline fail-open sensor vs0

policy-map DMZ5-policy

class DMZ5-class

ips inline fail-open sensor vs0

policy-map DMZ3-policy

class DMZ3-class

ips inline fail-open sensor vs0

policy-map DMZ10-policy

class DMZ10-class

ips inline fail-open sensor vs0

policy-map DMZ4-policy

class DMZ4-class

ips inline fail-open sensor vs0

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

Put in the commands below :

###

policy-map DMZ1Servers-policy

no class DMZ1Servers-class1

policy-map outside-policy

no class outside-class

policy-map DMZ6-policy

no nclass DMZ6-class

policy-map DMZ2-policy

no class DMZ2-class

policy-map DMZ5-policy

no class DMZ5-class

policy-map DMZ3-policy

no class DMZ3-class

policy-map DMZ10-policy

no class DMZ10-class

policy-map DMZ4-policy

no class DMZ4-class

####

New Member

Re: Slow upload speeds to Internet via ASA 5520.

Tried this, but it didn't make any difference to my upload speeds.

New Member

Re: Slow upload speeds to Internet via ASA 5520.

I just posted a Conversation....I have the exact same issue.......Except for mine is download speeds....I used the same test servers you do...

New Member

Re: Slow upload speeds to Internet via ASA 5520.

We're having the same issue - twin ASA5510s in Active/Passive failover.  In front of the ASAs we can get our full 15MB, but behind them we get 1.5MB to maybe 9MB (it's all over the place but tends to be under 3MB).  We isolated one of the firewalls so our test traffic was the only traffic going through it but it made no difference.

We hired a Cisco engineer to bench the unit, wipe our configuration and test it again but he duplicated our symptoms.  The problem seems to be inherent to the unit, but even the engineer hadn't heard of the issue nor could he fix it.

I wonder if there was a bad batch that came out of manufacturing with a defect?

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

Have you tried to remove threat detection and http inspection?

sh run threat

remove the lines with a "no" in front of them.

pls. check interface errors "sh int | i errors". Are you doing any kind of content scanning for the hosts that are behind the ASA? Any IDS devices monitoring the traffic? Any packet shapping devices?

Beside that we need to collect captures on ingress and egress interfaces and see where the delay is coming from.

-KS

New Member

Re: Slow upload speeds to Internet via ASA 5520.

I got it all fixed yesterday.

As the other post mentioned do you have any IDS infront of your firewalls or do you have the IPS modules installed in your ASA's?  In the end it was our IPS module, we had to enter the kernel mode of the IPS module using the service account and amend the RegexDepth setting for the upload as is fixed for upload and for downloads it wasn't so it was sort of throttling the upload speed so we "relaxed" this.  If you need the commands I used let me know?

New Member

Re: Slow upload speeds to Internet via ASA 5520.

Andy, kusankar,

Thanks to you both for your prompt replies.  I'll try to do your effort justice with my own.

There are no IDS devices upstream from the ASAs.  I'm not sure if our ASAs have the IPS module installed, but then I don't know what the IPS module is.  A quick walk through the ASDM doesn't show anything, but there may be a difference in terminology.

I am not conversant with the IOS or working at the Cisco CLI, but I am willing to give anythng a shot.  Step-by-step instructions would be awesome.  If it makes any difference, we're running v7.2(2) of the firmware and I have v5.2(2) of the ASDM.

Thanks again for your help,

Paul

New Member

Re: Slow upload speeds to Internet via ASA 5520.

I would suggest upgrading your firmware at some point, 8.0.x and the lastest ASDM.  They offer lots of bug fixes plus new features, the newer ASDM (version 6.0.x) is much better.  Try 8.04 (mature) or 8.0.5 (newish).

As you are running in failover mode with 2 ASA's you can upgrade one > reload > failover to the other > upgrade > reload and there will be no downtime.  Both have to be on the save firmware for the failover to continue to work.   I can get a url on this if you need it.

The IPS module is a physical device they sits in your ASA, from the CLI on the ASA type "session 1" and see if you get a prompt.

Please rate if you find any of this helpful.

New Member

Re: Slow upload speeds to Internet via ASA 5520.

Andy,

Since the IPS module is a physical device rather than a software feature, I'm pretty sure we don't have one.  Running your command from the CLI in the ASDM returns "Card in slot 1 did not respond to session request".  When I look at the rear of the ASA, I can see an expansion slot blanking plate so I think it's safe to say I don't have an IPS module.  I take it this implies my problem is different from yours.

To be thorough, I ran the "sh int | i errors" command suggested by kusankar.  Here is the result of that:

0 input errors, 16455 CRC, 0 frame, 0 overrun, 16455 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 9682983 CRC, 0 frame, 0 overrun, 9682983 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets

So it looks like something is generating CRC errors, but that may be normal.  I ran the command multiple times and those error counts are incrementing.

Lastly, I would be very interested in any assistance you can offer upgrading the firmware on my ASAs.

Thanks again,

Paul

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

Need to fix these CRC errors ASAP.

Issue sh int e0/0 or which ever is appropriate on all the interfaces and find out which interface is showing these errors.

Then see what cable connects that port to which device.  Try the following one at a time.

1. clear interface

2. set the speed and duplex to the same on both the ASA as well as the swtich end

3. change the cable

4. change the port on the swtich and watch the swtich port for errors.

after each change 2,3,4 issue sh inter | i errors.

Once you fix this you should see better results.

You are running an older code where threat detection was not introduced.

Upgrading the ASA code will not resolve the problem.  Let us first take care of the CRC errors.

-KS

New Member

Re: Slow upload speeds to Internet via ASA 5520.

kusankar,

Of the three interfaces in use - inside, outside and failover, here are the results for inside and outside:

Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001b.d5e8.cbac, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
396474903 packets input, 79066447227 bytes, 0 no buffer
Received 2211277 broadcasts, 0 runts, 0 giants
0 input errors, 26224 CRC, 0 frame, 0 overrun, 26224 ignored, 0 abort
0 L2 decode drops
530985772 packets output, 550403493621 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/250) software (0/0)
  Traffic Statistics for "outside":
404210359 packets input, 72160280929 bytes
530985772 packets output, 540544337897 bytes
2809681 packets dropped
      1 minute input rate 86 pkts/sec,  27165 bytes/sec
      1 minute output rate 72 pkts/sec,  12729 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 149 pkts/sec,  48188 bytes/sec
      5 minute output rate 186 pkts/sec,  160347 bytes/sec
      5 minute drop rate, 3 pkts/sec


Result of the command: "sh int e0/1"

Interface Ethernet0/1 "inside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001b.d5e8.cbad, MTU 1500
IP address 192.168.48.1, subnet mask 255.255.255.0
548573967 packets input, 557297292042 bytes, 0 no buffer
Received 17195192 broadcasts, 0 runts, 0 giants
0 input errors, 9691710 CRC, 0 frame, 0 overrun, 9691710 ignored, 0 abort
0 L2 decode drops
392477718 packets output, 77793299669 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/51) software (0/0)
  Traffic Statistics for "inside":
548573167 packets input, 547121964625 bytes
392477718 packets output, 69454135108 bytes
15357922 packets dropped
      1 minute input rate 68 pkts/sec,  17981 bytes/sec
      1 minute output rate 69 pkts/sec,  40291 bytes/sec
      1 minute drop rate, 5 pkts/sec
      5 minute input rate 190 pkts/sec,  163545 bytes/sec
      5 minute output rate 149 pkts/sec,  49707 bytes/sec
      5 minute drop rate, 5 pkts/sec

It appears the internal interface is reporting the majority of the CRC errors, but statistically the rate seems low.  The ASA in question has been up for just over 21 days and was only rebooted to troubleshoot this problem.

I will investigate the rest of your suggestions, though I'm certain the problem is in the ASA itself because we've isolated the ASA from the internal network as a matter of course while troubleshooting.  Indeed, we wiped the configuration from one ASA to make sure it wasn't the failover capability causing the problem.  In essence we ended up with a laptop on one side, our Internet connection on the other with only the ASA in the middle and still saw the problem.  Bypassing the ASA - connecting directly to the cable on the upstream side - eliminates the problem, but I'll do due diligence.

Thanks again,

Paul

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

Post the output for

sh run int e0/0

sh run int e0/1

If the speed and duplex is specified in the above output make sure it matches on the switch side and set the speed and duplex manually on the switch ports.  If the switch side is set to auto, change in the above to auto as well. This should clear the CRC errors.  Once these errors are gone run your tests again.

I not sure what else everyone suggested that you change on this ASA so, it would be better you attach the current config if you have any further questions on this issue.

-KS

New Member

Re: Slow upload speeds to Internet via ASA 5520.

kusankar,

Heeding your advice, I've adjusted the switch settings for both the internal and external interfaces so they are optimal and identical between switch and ASA.  Running the "clear interface" command, then monitoring the interfaces with the 'sh int e0/0" and "sh int e0/1" commands shows no more CRC errors on either interface.

Re-running the speakeasy.net speed tests shows more symetrical, although much more varied results, including - for the first time since starting this process - an upload speed that exceeds the download speed.  While my upload speed still isn't as consistently high as my download speed, there's a definite improvement and I may be seeing the best I can get.

Here's the output of the "sh int e0/0" command:

Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 001b.d5e8.cbac, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
2485674 packets input, 1620330786 bytes, 0 no buffer
Received 18893 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2872078 packets output, 2336538828 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/250) software (0/0)
  Traffic Statistics for "outside":
2485644 packets input, 1569397011 bytes
2872078 packets output, 2279435040 bytes
70611 packets dropped
      1 minute input rate 268 pkts/sec,  201723 bytes/sec
      1 minute output rate 294 pkts/sec,  237071 bytes/sec
      1 minute drop rate, 8 pkts/sec
      5 minute input rate 350 pkts/sec,  232823 bytes/sec
      5 minute output rate 400 pkts/sec,  307069 bytes/sec
      5 minute drop rate, 12 pkts/sec

Here's the output of the "sh int e0/1" command:

Interface Ethernet0/1 "inside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 001b.d5e8.cbad, MTU 1500
IP address 192.168.48.1, subnet mask 255.255.255.0
2868844 packets input, 2364562970 bytes, 0 no buffer
Received 98667 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2427814 packets output, 1573194314 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (1/0) software (0/0)
output queue (curr/max blocks): hardware (0/51) software (0/0)
  Traffic Statistics for "inside":
2868780 packets input, 2308033896 bytes
2427814 packets output, 1523371562 bytes
81712 packets dropped
      1 minute input rate 373 pkts/sec,  238278 bytes/sec
      1 minute output rate 377 pkts/sec,  334810 bytes/sec
      1 minute drop rate, 6 pkts/sec
      5 minute input rate 385 pkts/sec,  309956 bytes/sec
      5 minute output rate 337 pkts/sec,  217388 bytes/sec
      5 minute drop rate, 7 pkts/sec

Unless you see something in the information above, or want me to post some other bit of information, I presume this is the best we can do.

Again, my thanks to you and Andy for your respective help,

Paul

Cisco Employee

Re: Slow upload speeds to Internet via ASA 5520.

Excellent. These look clean.

I believe with the better results that you are seeing, the issue is resolved. You probably will notice other websites loading a lot faster than before.

If there is a big diff. between the results outside the firewall and from behind the firewall pls. look at inspections and QoS if you have them configured on the ASA as well as the client NIC drivers and speed/duplex on the NIC and switch end that you are using to do the test.

Nice job.

-KS

New Member

Re: Slow upload speeds to Internet via ASA 5520.

Andy,

I'm getting the same problem with upload speed maxing out at about 10Mb, while my download speed utilises almost the full 100Mb we have.  We have an ASA5510 with IPS. I've change the setting on the IPS to bypass it and this imediately resulted in an upload speed that matched the download, so it would appear that it is down to the IPS.  You mention about changing the RegexDepth setting for upload.  Can you tell me what commands I need to do this.

Thanks

Chris

10277
Views
0
Helpful
19
Replies