Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2939
Views
0
Helpful
0
Comments

TCP connections that pass through the ASA firewall are very slow when the SSM module is enabled

TCC_2
Level 10
Level 10

‎06-22-2009 04:39 PM - edited ‎03-08-2019 06:17 PM

Core issue

This issue can occur due to the presence of Cisco bug ID CSCse46220.

This problem occurs as ASA attempts to re-order all packets matched in the access-list of the associated class.

Resolution

In order to resolve this issue, complete these steps:

  1. Adjust the access-list reference in the class-map command in order to remove the problem traffic from inspection by the SSM.
       
  2. Increase the queue-limit under the tcp-map command. This can help with performance, although it can take some trial and error in order to find the optimal queue-limit value that delivers the best performance.
       
  3. Clear the selective-ack and timestamp options from the tcp-options command.
       

This is an example of an adjusted queue-limit with cleared selective-ack and timestamp options:

hostname(config)#tcp-map tmap
hostname(config)#tcp-options timestamp clear
hostname(config)#tcp-options selective-ack clear
hostname(config-tcp-map)#queue-limit <#>

The other workaround is to go to Cisco Downloads in order to install the version 7.2(1.27) or the latest version.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents