Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Very slow internet behind ASA5505

Recently installed an ASA5505 for a client.  They have Verizon DSL (7mb down, 384up package).  So my config is Verizon (Westell) DSL modem connected to e0/0 (VLAN2) of ASA.  From there I have e0/1 (VLAN1) connected to a 3COM 2250 Plus 50 port switch.

Since installing the ASA client has been complaining of a major slow down in Internet speed.  Contacted ISP and they had me remove the firewall from the equation and hook modem directly to laptop.  With this setup I get between 6-7mb download speeds.  When I put the ASA back into the mix though, the speed drops significantly.  The speed will varry but 90% of the time they do not even get 1mb download speeds.

The configuration is pretty straight forward, not doing a whole lot with the box other then using it for VPN (IPSEC).

I'd really like some suggestions or ideas on what could be causing this or even where to start looking as I am not sure.

Thanks!

22 REPLIES

Re: Very slow internet behind ASA5505

My biggest issue with an ISP that has you remove all of the network and connect 1 pc directly to this cable/dsl modem is that is not a realistic test of how the Internet service will perform for the client with a network and users behind it.  But I digress and will assist with your question now and not complain about the ISP/Telcos....which most of us have pulled our hair out dealing with them!  LOL

I would connect into the ASA and run a show xlate and a show connection to see what the counts look like.  Also ask questions to the users, it is a specific time of day that it is slow or all times of the day?  Is their service a business dedicated grade or shared access on the ISP segment?  What are the physical interfaces of the ASA look like for speed and duplex settings?

The reason you want to look at the xlate and connection counts is there could be a virus, spyware, malware on the users PCs that could be slowing down the Internet connection.  Really pay attention to the duplex of the inside and outside interfaces of the ASA to make sure they are negotiating to full duplex to allow for good 2-way communication.

This is where I would start troubleshooting a performance issue like this.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: Very slow internet behind ASA5505

Kimberly,

Thanks for taking the time to reply.

I ran the show xlate and it came back showing 94 in use, 444 most used.

I also ran the show conn and it came back with 113 in use, 244 most used.

Users have not really mentioned any time of day where they see a bigger problem.  I am on-site right now and an initial speed test first thing this morning shows 1.5mb down and 768 up.  Again, this should be a 7mb download package.  I was told by Verizon that this is business grade, but I'm not 100% sure of that.

As for the physical interfaces, I ran sh int commands for both of them and pasted below, both are set to auto for both duplex and speed.

clientasa# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6d, MTU not set
        IP address unassigned
        6181420 packets input, 3153357569 bytes, 0 no buffer
        Received 16232 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        9 switch ingress policy drops
        5503232 packets output, 2303937276 bytes, 0 underruns
        72 output errors, 57 collisions, 0 interface resets
        0 babbles, 0 late collisions, 152 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

clientasa# sh int e0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6e, MTU not set
        IP address unassigned
        6673355 packets input, 2393629616 bytes, 0 no buffer
        Received 770925 broadcasts, 0 runts, 0 giants
        9 input errors, 9 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1349 switch ingress policy drops
        6174969 packets output, 3145279599 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops

I did notice on e0/1 there are some input and CRC errors, but I wasn't sure what those were exactly.  Any ideas?

The clients all have Trend Micro antivirus/antispyware running on them.  They have real time scanning enabled and there is a full system scan run once a week.  The Trend dashboard shows no signs of a virus on the network.  Not to say that there isn't something because I know Trend doesn't catch everything but I'm not sure this is the problem.

Any help you can give me on this would be appreciated.

Thanks!

New Member

Re: Very slow internet behind ASA5505

If you are using PPPoE for the upstream ISP, check your MTU.You may need to lower the outside interface MTU to 1492 or lower depending upon your setup.

I have also come across a similar issue on the 5505 with certain versions of ASA software not handling PMTUD / fragmentation correctly which was fixed by a version upgrade.

New Member

Re: Very slow internet behind ASA5505

Hi,

I have the very same problem today on a 5505 also.

When connected directly to the modem, I get 7.x Mbps.

I'm lucky if I get 0.8Mbps when through the firewall.

I'm using Cisco OS v8.2.2.

I have other circuits with other customers using the same firewall and same config and they get between 7 and 15 Mbps.

Any ideas or thoughts a great help.

Thanks.

S.

New Member

Hi,

Hi,

I have same problem with Cisco ASA 5510 and version is 8.2(1)11.

i have 20 MB internet link. when connect laptop directly i got 20 mb upload and download speed but through ASA i got 19 mb download and 2-3 mb upload speed.

Can someone help for this issue ?

Thanks

Umang

New Member

Re: Very slow internet behind ASA5505

Unfortunately I'm not using PPPoE, just a block of static IP's with one assigned to the outside interface and the rest all using NAT for SMTP, RPD and HTTPS to other machines.


Thanks!

Re: Very slow internet behind ASA5505

Some of the CRC errors you are seeing could do with auto negotion of speed and duplex with your ISP edge device.  You may want to clear the counters on your ASA and monitor the errors but you can also adjust the MTU on the ASA.

Are you blocking any steaming sites for users like Internet Radio and such?  The user community could be sucking up a good deal of bandwidth by having Internet radio and streaming sites running all day long.

These are just some things to think about with performance issues.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Re: Very slow internet behind ASA5505

Can you post your config? Take out your public addressing and such....

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Very slow internet behind ASA5505

Sorry no response in a while, got really busy last week.  I've attached the ASA config.  Look it over and let me know if there is something glaringly wrong that could be causing this issue.  I don't see anything but another set of eyes always helps.

Thanks!

New Member

Re: Very slow internet behind ASA5505

Hi,

I'm fairly certain that my problem is due to a dodgy ASA.

I have swapped out the ASA, using the same config, and the client now gets 7.x Mbps instead of 0.5Mbps.

There were a lot of CRC errors on the outside interface.

I'm doing a full reset on the faulty device now offsite to see if the errors persist.

Regards,

S.

New Member

Re: Very slow internet behind ASA5505

Any chance that a software update could resolve this?  The ASA is currently running 7.2.4.  Just wondering if that is something I should look at.

Re: Very slow internet behind ASA5505

7.2(4) is old and you might want to look at the 8.x train

I will upgrade the ASA either to 8.0(5) or 8.2(2)

An upgrade to 8.3(1) will require additional memory.

Take a look at the release notes:

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Federico.

Cisco Employee

Re: Very slow internet behind ASA5505

Stepehen,

     CRC error and the like are usually due to a mismatch in speed/duplex. Can you check to see what the upstream device's link settings are? You want to ensure that they are either *both* hardcoded for 100MB/FULL or *both* set for AUTO/AUTO.

- Magnus

New Member

Re: Very slow internet behind ASA5505

Just connected to Verizon DSL modem (Westell 6100) but I don't find anything on the modem about changing the speed/duplex.

Re: Very slow internet behind ASA5505

We agree that you're seeing CRC errors and that should not be. CRC errors are commonly caused by layer 1 problems (cable, NIC, etc) or sometimes layer 2 as well.

While figuring out how to get rid of the CRC errors, I will recommend to move to the 8.x train.

Federico.

New Member

Re: Very slow internet behind ASA5505

Upgraded from 7.2(4) to 8.0(5) this morning.  Here is the latest on the show interface commands:

clientasa# sh int e0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6e, MTU not set
        IP address unassigned
        71318 packets input, 25339525 bytes, 0 no buffer
        Received 4677 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        4 switch ingress policy drops
        79785 packets output, 53670770 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
clientasa# sh int e0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 8843.e141.ec6e, MTU not set
        IP address unassigned
        71435 packets input, 25351733 bytes, 0 no buffer
        Received 4691 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        4 switch ingress policy drops
        79905 packets output, 53684597 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops

So now I am not seeing any input or CRC errors like I was before, but still having the speed issues.  I did log into the Verizon (Westell 6100) modem this morning to verify speed/duplex settings but I cannot find this anywhere.  I have been searching the Internet for this but have yet to come up with anything.

Not sure where to go from here.

Re: Very slow internet behind ASA5505

One thing you can check (besides continuining monitoring the interfaces for errors) is check the ouput

of the ''sh asp drop'' on the ASA.

Check if you see any particular process incrementing when experiencing slowliness.

Federico.

New Member

Re: Very slow internet behind ASA5505

Did this problem turn out to be a bad ASA

or trouble with the ISP equipment?

New Member

Re: Very slow internet behind ASA5505

Hi,

The ASA wasn't faulty and a replacement of ISP router fixed the issue.

Thanks.

S

New Member

Re: Very slow internet behind ASA5505

Hi,

I had similar problem which I'll also describe below, but first I'll give the answer that solved mine.

The solution to me was to have the outside interface in "duplex half" !

The problem I had was also very slow internet and in many times I couldn't stream constantly real time video.

I also had MTU 1500 on the outside interface and many CRC errors ....

On one of my brakes at work today I found someone on a website (sorry unknown person for not giving you personaly

the credits ....) but yes removed the duplex full from the outside interface and BOOOOM the speed is here now.

Have a great weekend to all of you.

Cheers,

Ioannis

New Member

I have a similar issue. The

I have a similar issue. The only different is the ISP original speed. We have 100MB up and down.

We have a fiber internet from AllStream go to a converter to Ethernet signal. This connected to a Cisco 2900 router from the ISP. From this router we connect to a VLAN switch and connect the Cisco ASA5505 to the same VLAN.

In this setup we only have about 10MB/s.

However, as soon as the ASA is removed, the internet speed increased to 80-90MB/s.

I try to replace the VLAN switch (where the ASA5505 and the Cisco 2900 connected to) with a 1 Gigabit switch but the speed still slow.

Is there any answer to this issue yet?

New Member

Very slow internet behind ASA5505

I would make sure that the ADSL modem has had as many services as possible shut down and, if possible, bridge the unit so it does not dole out any DHCP addresses. I had our ISP shut down any firewall services that were running and strip it down to "bare bones" and it seems to have made a difference to us.

17492
Views
0
Helpful
22
Replies
CreatePlease to create content