We have an ASA 5510 and when we do an isp test from the inside interface with a laptop directly behind the asa we get poor internet traffic downloads but if we disconnect the ASA and connect the laptop directly into the internet pipe and repeat the test we get a much better download. in fact 440k behind the firewall and 4meg in front of the asa.
The interfaces are setup for 100 full duplex and no crc issues or dropped packets etc..
I did and I removed the service-policy global_policy global and my downstream went back to the 12Mbps I'm used to. Now, what did I just do for my security?? Am I opened up for attacks? How can it be corrected properly. I'm in a TAC with cisco on this matter now... Will keep you all posted.
No ideas, but I'm having the exact same problem with an ASA 5505. I was reading some other posts about forcing the duplex, etc. rather than setting it to auto. Haven't played with that yet. I may mess with it to see if it helps.
Have you tried looking at MTU settings? It doesn't sound like you've added any VPNs yet, but if you have, you need to consider the reduction in available packet sizes if IPSec is being used. The standard 1500 byte size can no longer fit into the pipe because of the IPSec overhead. Additionally more so if you are using GRE in addition to IPSec. There should be ICMP Destination Unreachable, Fragmentation Needed but DF-bit set messages generated if the problem is MTU related. Often times, firewalls are configured to drop all ICMP and the MTU size issue never makes it back to the originating host/server. Its a shame that so many people feel that all ICMP is 'evil'. These specific messages (Type 3, Code 4) are pretty cool because they actually include what the host/server should set its MTU to for all packets to that particular destination.
If you are not running IPSec, MTU could still be an issue. If you are running in the clear, I'd place a sniffer on the outside interface of the ASA and see what kind of packet sizes you are generating as you egress the ASA as compared to when you are not using the ASA.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...