topic Re: CSC SSM slows down internet traffic in Network Security

CSC SSM slows down internet traffic

kpoon — Mon, 11 Mar 2019 20:35:15 GMT

Hello,

We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this

It the computer is bypassing the CSC, it gets

This was done when there's very low traffic on the LAN and CPU is low usage on the CSC.

The CSC has been re-imaged also but still doesn't solve the problem.

All tests are done with the same test server.

Any idea?

Thanks.

Re: CSC SSM slows down internet traffic

Maykol Rojas — Thu, 19 May 2011 01:55:58 GMT

Hi,

Do you have HTTP scanning by any chance? It is expected to see that those numbers go down, but not like that.... If you do a download, is it being reflected? Is it all internet traffic or just http?

Mike.

Re: CSC SSM slows down internet traffic

kpoon — Thu, 19 May 2011 12:29:52 GMT

Hi,

I don't have inspect HTTP on. according to http://www.speedtest.net/, the download is being reflected all the time. I believe it's all traffic that goes thru the CSC. For now I've even turned off ftp scanning. Here's my configuration:

access-list throttle_frontline extended permit ip host 7.x.x.x.x any
access-list throttle_frontline extended permit ip any host 7.x.x.x

access-list cscTraffic extended deny ip host 192.168.10.254 any
access-list cscTraffic extended deny ip object-group admin-ip any
access-list cscTraffic extended deny ip any object-group tms-ip
access-list cscTraffic extended permit object-group TCPUDP any any eq www
access-list cscTraffic extended permit tcp any any eq https
access-list cscTraffic extended permit tcp any any eq smtp
access-list cscTraffic extended permit tcp any any eq ftp inactive

!
class-map global-class
match default-inspection-traffic
class-map csc-class
match access-list cscTraffic
class-map throttle_frontline
match access-list throttle_frontline
!
!
policy-map throttle-policy
class throttle_frontline
police input 600000 2000
police output 600000 2000
policy-map global-policy
class global-class
inspect pptp
inspect ftp
inspect ipsec-pass-thru
inspect xdmcp
inspect h323 h225
inspect h323 ras
inspect sip
class csc-class
csc fail-open
!
service-policy global-policy global
service-policy throttle-policy interface outside

Re: CSC SSM slows down internet traffic

brquinn — Thu, 19 May 2011 13:04:28 GMT

The time change with ping doesn't make sense. That traffic is not going through the CSC module. That alone makes the numbers a bit suspicious. From what you indicated, the only change was removing the service policy for the CSC module on the ASA. Is that correct?

I see you have a policing policy in place as well. If you remove the policing policy, but leave the CSC policy in place, do you see an improvement?

Is scanning enabled on the CSC? By its very nature, scanning will cache all files before they are sent to the end host. This breaks how the speed test determines its speed. (measuring how long it takes a file to be download) You can enable deferred scanning for files larger than 1MB, but the CSC still needs to complete its AV scan prior to sending the last byte of data to the client.

Finally, what version are you running on your CSC module and on your ASA?

Thanks,

Brendan

Re: CSC SSM slows down internet traffic

kpoon — Thu, 19 May 2011 13:46:12 GMT

The time change in ping is even worse now after I re-flashed the CSC module. It's about >300ms.

The moment I do this,

access-list cscTraffic line 4 extended permit object-group TCPUDP any any eq http inactive
access-list cscTraffic line 5 extended permit tcp any any eq https inactive

The ping time comes back to normal, ~15ms, the speed as well.

or any systems belong to admin-ip or tms-ip groups are fine as well since they completely bypass the CSC

The policing policy doesn't affect the result whether it's enabled or disabled.

Scanning is enabled on the CSC, I am just puzzled why the results changes in such drastic fashion. I am expecting slow down with scanning but not at that extend.

CSC is version 6.3.1172.4

ASA is version 8.2(4), I can't upgrade to 8.3+ since I only have 256MB, correct me if I am wrong.

ASDM is version 6.4(1)

Thanks.

Re: CSC SSM slows down internet traffic

brquinn — Thu, 19 May 2011 13:59:33 GMT

The CSC does not scan https or any UDP ports. The only 4 TCP ports you should send are smtp, http, ftp, and pop3. It also doesn't make any sense that this would affect ICMP traffic unless there was some rule marking the ICMP traffic to be sent through the CSC module as well.

Scanning will definitely interfere with the results of an online speed test. The test is an app that essentially tracks how long it takes the file to download. By performing scanning, the results of this test are invalid because it does not accurately portray the speed of your internet connection.

Please keep in mind that this doesn't necessarily mean you are wasting bandwidth since there is never only one user browsing at a time.

Thanks,

Brendan

Re: CSC SSM slows down internet traffic

kpoon — Thu, 19 May 2011 14:22:08 GMT

Perhaps it's as you have said, the online app doesn't necessary portrait the bandwidth correctly with CSC.

I've done real life ping time test, and it turns out correctly.

I've changed the access-list to only TCP.

Thanks for your explaination.