Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA/PIX 7.x: ASP (Acceletared Security Path) problem


we are deploying an ASA 5520 with 7.1(2)7 at the customer's site as a replacemement for a PIX 525 with 6.3(4). There are some problems with a very slow response from a remote web proxy. Web pages download, but very slowly, after a minute or so compared to 5-10 secs with PIX. We tried to reconfigure various things on ASA (NAT/PAT, inspect, ...) but all in vain. Finally I noticed a quickly increasing count of dropped packets in "show int" statistics. I also came across "show counters" and "show asp drop" and there is an evidence, that ASA drops quite a large number of "non-compliant" TCP packets .... See the output:

asa-1# show asp drop

Frame drop:

Flow is denied by configured rule 201

First TCP packet not SYN 170

TCP Window scale on non-SYN 630

DNS Inspect id not matched 84

That ASP stands for "Accelerated Security Path" - a feature hardwired into ASA/PXI 7.x. I went through the config guide for ASA/PIX and there is no info on how to disable this feature. In reference quide there is a lot of info on how to show various stats about this, how to capture dropped packets due to ASP (and they got really dropped as capture showed).

Please, does anybody know how to disable this feature or at least how to circumvent it ? It there is no workaround for this, ASA/PIX 7.x is unusable in this way.

Thank you