Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP slow after upgrade 7.0(4)->8.0(4)

After an upgrade from ASA version 7.0(4)to 8.0(4), HTTP has become very slow.

Partial page is downloaded every time but images and some other content download is very slow.

This setup worked fine with 7.0(4)

no dns-guard configured

HTTP traffic on 8088

class-map http_traffic, not configured for 8088.

addition or removal of inspect http to global policy, doesnt improve performance.


User->Router->ASA->Router->Proxy Server-> Internet.


Capture shows:

lot of fragment and re-assembling (No idea if this existed earlier as well)

Right after clear asp drop, a show output is as follows:

show asp drop

Frame drop:

Invalid encapsulation (invalid-encap) 39

No route to host (no-route) 429

Flow is denied by configured rule (acl-drop) 29786

Unsupported IPV6 header (unsupport-ipv6-hdr) 79

First TCP packet not SYN (tcp-not-syn) 1711

TCP failed 3 way handshake (tcp-3whs-failed) 92

TCP RST/FIN out of order (tcp-rstfin-ooo) 10297

FP L2 rule drop (l2_acl) 4903

Dropped pending packets in a closed socket (np-socket-closed) 181

Last clearing: 08:28:31 CEDT Oct 14 2008 by enable_15

Flow drop:

SSL received close alert (ssl-received-close-alert) 1

MSS capture is clean>>

show capture mss-capture

0 packet captured

0 packet shown

Thanx in advance for the help.

(not possible to share show tech, please feel free to ask relevant queries)

Cisco Employee

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

disable threat detection mechanism

New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

Disabled threat detection entries, no difference in performance.

If we use port 80 for the proxy, instead of 8088, traffic works fine as it used to work with 7.0(4).

Plz assist.

Thanx in advance

New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

Dear all,

we have the same problem since two weeks. However in our case port 80 only works fine as long as there are not to many http clients.

We have the setup:


It worked great with our old PIXv7.

Has this / have you ever found a solution to this?


New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

No solutions as yet. Same here mate, even HTTP 80 isn't working fine now. May be it never worked earlier as well.

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

Can you post output of

show run all policy-map



New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

Hi Farruk,

Well, I do not have the latest Policy-map. but we have played around with HTTP-80 and HTTP-8088 inspection through class-map.

HTTP inspection was enabled, disabled. NO issues with MSS as confirmed by MSS captures.

The setup is on end-customer site.

He just confirmed that a Static Nat resolves the issue, but obviously he cant use Static for 100s of users.

New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

Dear all,

I want to note that in rev 8.0(4) there seem to be two distinct problems.

1. HTTP on non standard ports (which means not port 80) is slow, no matter which policy map (no inspect basic threats, no inspect http) etc. you apply or deactivate.

2. If you do HTTP over port 80 everything works very speedy as long as you use either static NAT or no NAT. Once you start to use PAT it becomes an unusable nightmare.

I personally have the impression that Cisco has to do some fixing here.


New Member

Re: HTTP slow after upgrade 7.0(4)->8.0(4)

I have been having problems with a GRE bug in 7.2(4), and TAC told me to upgrade to 8.0(3), not 8.0(4), as the latter is still full of bugs