ASA/PIX 7.x: ASP (Acceletared Security Path) problem
we are deploying an ASA 5520 with 7.1(2)7 at the customer's site as a replacemement for a PIX 525 with 6.3(4). There are some problems with a very slow response from a remote web proxy. Web pages download, but very slowly, after a minute or so compared to 5-10 secs with PIX. We tried to reconfigure various things on ASA (NAT/PAT, inspect, ...) but all in vain. Finally I noticed a quickly increasing count of dropped packets in "show int" statistics. I also came across "show counters" and "show asp drop" and there is an evidence, that ASA drops quite a large number of "non-compliant" TCP packets .... See the output:
asa-1# show asp drop
Flow is denied by configured rule 201
First TCP packet not SYN 170
TCP Window scale on non-SYN 630
DNS Inspect id not matched 84
That ASP stands for "Accelerated Security Path" - a feature hardwired into ASA/PXI 7.x. I went through the config guide for ASA/PIX and there is no info on how to disable this feature. In reference quide there is a lot of info on how to show various stats about this, how to capture dropped packets due to ASP (and they got really dropped as capture showed).
Please, does anybody know how to disable this feature or at least how to circumvent it ? It there is no workaround for this, ASA/PIX 7.x is unusable in this way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...