topic Slow SSH FTP (SFTP) transfer issue in Network Security

Slow SSH FTP (SFTP) transfer issue

ALIAOF_ — Mon, 11 Mar 2019 22:32:52 GMT

We are having an issue with SFTP slow transfers, here is the network setup

Laptop --> ASA --> CSS --> Server

Laptop = Inside Interface

Server = Security Level 50

Default gateway for the servers is the CSS. When we try just FTP it is very fast. When I put laptop on the same network as the servers SFTP is fast. But when I plug my laptop the way I explained above SFTP is very very slow.

We did another test:

Laptop --> CSS --> Server

Now in this scenario where the servers are no longer behind the firewall SFTP is also fast. Doesn't make sense why when there is a firewall in the picture it is so slow because its not FTP and it shouldn't require any inspect statements or any other configuration. Any ideas will be greatly appreciated.

Slow SSH FTP (SFTP) transfer issue

david.tran — Mon, 20 Feb 2012 21:03:21 GMT

Just want to make sure we're talking about the same thing. SFTP uses ssh transport mechanism. It uses tcp port 22.

FTPs is completely something else.

Are you using SFTP (similar to SCP) which uses tcp port 22 or something else? If you're using SFTP try to transfer again using scp and see if it makes any differences. The firewall does not know anything about this connection because it is an "encrypted" connection between y our laptop and the server.

Slow SSH FTP (SFTP) transfer issue

ALIAOF_ — Mon, 20 Feb 2012 21:12:59 GMT

That is correct I'm doing SFTP that uses SSH Port 22 not doing FTPS either. Using SCP doesn't make any difference either.

I have tried multiple clients too.

Slow SSH FTP (SFTP) transfer issue

david.tran — Mon, 20 Feb 2012 22:06:30 GMT

Ok. Mine setup is a the same as yours with the following exception:

- I have a pair of Pix firewalls instead of ASA running version 8.0(4),

- Instead of CSS, I have F5 BigIP as the Load-balancer,

Both FTP and SFTP going across the the firewall without any issues. On the 100M interface, I am getting about 95mbps with both FTP and SFTP. Ofcourse, with SFTP, my server takes some CPU hits because of SSH encryption.

Slow SSH FTP (SFTP) transfer issue

ALIAOF_ — Mon, 20 Feb 2012 22:32:48 GMT

Hum yeah that is pretty much we have other than F5's. Well also client is on a different network than the server and the default gateway for the servers is the CSS. Client come in through the inside interface of the firewall and servers are behind a NATed interface.

So the interface IP is 10.1.1.1 and servers are behind that interface as 10.1.2.xx.

Slow SSH FTP (SFTP) transfer issue

david.tran — Mon, 20 Feb 2012 22:47:24 GMT

Are you running any rate-limiting or QoS on the ASA? what is the output of "show service-policy"

Slow SSH FTP (SFTP) transfer issue

ALIAOF_ — Tue, 21 Feb 2012 16:05:58 GMT

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 36305306, drop 3956, reset-drop 0

Inspect: ftp, packet 203668, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 327, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 1, drop 1, reset-drop 0

Inspect: rsh, packet 461, drop 0, reset-drop 0

Inspect: rtsp, packet 331, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: esmtp _default_esmtp_map, packet 193239, drop 0, reset-drop 0

Inspect: sqlnet, packet 3651, drop 0, reset-drop 0

Inspect: skinny , packet 328, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sunrpc, packet 294629, drop 678, reset-drop 1039

tcp-proxy: bytes in buffer 0, bytes dropped 1348

Inspect: xdmcp, packet 4363, drop 3720, reset-drop 0

Inspect: sip , packet 696, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: netbios, packet 164768, drop 0, reset-drop 0

Inspect: tftp, packet 1759067, drop 0, reset-drop 0

Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop

Slow SSH FTP (SFTP) transfer issue

Julio Carvajal — Tue, 21 Feb 2012 17:28:14 GMT

Hello Mohammand,

I am the engineer working on the case you have, the configuration looks good, the interfaces does not have any errors, the inspection policies are great. so but the next thing to troubleshoot to determine if this is te ASA indeed will be to conenct a PC to one ASA's interface ( directly connected) and then try to use the SFTP.

We could also do captures on the ASA on both interfaces inside and outside to determine what is going on!

Regards,

Julio

Slow SSH FTP (SFTP) transfer issue

Patrick0711 — Wed, 22 Feb 2012 02:33:03 GMT

How are you connecting the laptop to the CSS? Is it on the same network as the back end servers or is it on the front side network in front of the CSS? Is the traffic destined to a VIP or is it destined to a back end server behind the CSS?

What does 'show perfmon' and 'show resource usage' show on the ASA during the transfer through the firewall? Are you sure you're links aren't saturated?

Slow SSH FTP (SFTP) transfer issue

ALIAOF_ — Tue, 13 Mar 2012 13:38:18 GMT

We have tried to connect it to the same switch where the back end servers are connected and it works fine. We also by passed the firewall and it works fine. Its only when CSS is in between and we try to do the transfer to the Physical IP of the server it is slow.