https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793801#M493368 <HTML><HEAD></HEAD><BODY><P>On the inspection itself? No, I dont think so. Is not that the traffic is flowing without inspection, it is being inspected, but not under RFC compliance of Sqlnet protocol. </P><P></P><P>You may be hitting this bug </P><P></P><TABLE border="0" cellpadding="3" cellspacing="0" style="width: 95%;"><TBODY><TR><TD>CSCta27859 </TD></TR><TR><TD> ASA 8.2.1 - Enabling inspect sqlnet adds 5 sec delays to big DB queries </TD></TR><TR><TD> <STRONG><STRONG>Symptom</STRONG>:</STRONG> When "inspect sqlnet" is enabled on ASA, single-connection version of SQLnet protocol experiences 5-seconds delays on big DB queries.&nbsp; There may be multiple delays in a single SQLnet TCP session.&nbsp; When inspection disabled, there are no delays.&nbsp;&nbsp;&nbsp; <STRONG><STRONG><STRONG>Condition</STRONG>s</STRONG>:</STRONG> - single-session version of SQLnet protocol is used (i.e. TCP/1521 is used both for command and data sessions)&nbsp;&nbsp;&nbsp; - "inspect sqlnet" is enabled on ASA&nbsp;&nbsp;&nbsp; <STRONG>Workaround:</STRONG> Disable sqlnet inspect.&nbsp; For single-session version of SQLnet protocol,&nbsp; disabling the inspect sqlnet does not have operational impact since there&nbsp; are no secondary connections that are being dynamically permitted through the firewall. </TD></TR></TBODY></TABLE><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCta27859">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCta27859</A></P><P></P><P>Try going to the latest 8.2 version (8.2.5) and check if the problem persist. </P><P></P><P>Mike </P></BODY></HTML> Mon, 14 Nov 2011 22:37:19 GMT Maykol Rojas 2011-11-14T22:37:19Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793796#M493360 <P>I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file. What could be the problem?</P> Mon, 11 Mar 2019 21:50:17 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793796#M493360 JEFF LAND 2019-03-11T21:50:17Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793797#M493362 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Do you have the Sqlnet inspection turned on the firewall? If so, remove it and try to access the DB again. </P><P></P><P>Mike Rojas</P></BODY></HTML> Mon, 14 Nov 2011 19:22:59 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793797#M493362 Maykol Rojas 2011-11-14T19:22:59Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793798#M493365 <HTML><HEAD></HEAD><BODY><P> I will try that but <EM>inspect sqlnet </EM>is enabled under<EM> policy-map global_policy </EM>on the old 5520 running 8.0 also. Do you know if they made any changes to the sqlnet inspection in 8.1 or 8.2?</P></BODY></HTML> Mon, 14 Nov 2011 21:23:06 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793798#M493365 JEFF LAND 2011-11-14T21:23:06Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793799#M493366 <HTML><HEAD></HEAD><BODY><P>They do every change of versions. But we need to confirm if the inspection is actually the problem. </P><P></P><P>Mike </P></BODY></HTML> Mon, 14 Nov 2011 21:30:43 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793799#M493366 Maykol Rojas 2011-11-14T21:30:43Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793800#M493367 <HTML><HEAD></HEAD><BODY><P> Yes, taking the sqlnet inspection out fixed the problem. But now the traffic is uninspected. Is there a rate limit or something similar which can be increased?</P></BODY></HTML> Mon, 14 Nov 2011 22:20:30 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793800#M493367 JEFF LAND 2011-11-14T22:20:30Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793801#M493368 <HTML><HEAD></HEAD><BODY><P>On the inspection itself? No, I dont think so. Is not that the traffic is flowing without inspection, it is being inspected, but not under RFC compliance of Sqlnet protocol. </P><P></P><P>You may be hitting this bug </P><P></P><TABLE border="0" cellpadding="3" cellspacing="0" style="width: 95%;"><TBODY><TR><TD>CSCta27859 </TD></TR><TR><TD> ASA 8.2.1 - Enabling inspect sqlnet adds 5 sec delays to big DB queries </TD></TR><TR><TD> <STRONG><STRONG>Symptom</STRONG>:</STRONG> When "inspect sqlnet" is enabled on ASA, single-connection version of SQLnet protocol experiences 5-seconds delays on big DB queries.&nbsp; There may be multiple delays in a single SQLnet TCP session.&nbsp; When inspection disabled, there are no delays.&nbsp;&nbsp;&nbsp; <STRONG><STRONG><STRONG>Condition</STRONG>s</STRONG>:</STRONG> - single-session version of SQLnet protocol is used (i.e. TCP/1521 is used both for command and data sessions)&nbsp;&nbsp;&nbsp; - "inspect sqlnet" is enabled on ASA&nbsp;&nbsp;&nbsp; <STRONG>Workaround:</STRONG> Disable sqlnet inspect.&nbsp; For single-session version of SQLnet protocol,&nbsp; disabling the inspect sqlnet does not have operational impact since there&nbsp; are no secondary connections that are being dynamically permitted through the firewall. </TD></TR></TBODY></TABLE><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCta27859">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCta27859</A></P><P></P><P>Try going to the latest 8.2 version (8.2.5) and check if the problem persist. </P><P></P><P>Mike </P></BODY></HTML> Mon, 14 Nov 2011 22:37:19 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793801#M493368 Maykol Rojas 2011-11-14T22:37:19Z https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793802#M493369 <HTML><HEAD></HEAD><BODY><P> Right. I'll get the update and scedule some downtime. I'll post what I find. Thanks for your help.</P></BODY></HTML> Mon, 14 Nov 2011 23:16:14 GMT https://community.cisco.com/t5/network-security/slow-sqlnet-throughput-on-asa/m-p/1793802#M493369 JEFF LAND 2011-11-14T23:16:14Z