https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505340#M615551 <P>Hiyas,</P><P></P><P>We recently purchased an ASA 5510 and i'm having a slight problem configuring it.</P><P></P><P>When I enable the following (just default traffic inspection), download speed drops to ~ 3Mb/s from &gt; 10Mb/s.</P><P></P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code"><P>class-map global-class<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map global-policy<BR /> class global-class<BR />&nbsp; inspect ctiqbe<BR />&nbsp; inspect rsh<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect ftp<BR />&nbsp; inspect http<BR />&nbsp; inspect sip<BR />&nbsp; inspect icmp error<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect netbios<BR />&nbsp; inspect icmp<BR />&nbsp; inspect ils<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect skinny<BR />&nbsp; inspect tftp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect pptp<BR />&nbsp; inspect dns<BR />&nbsp; inspect mgcp<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect snmp<BR />!<BR />service-policy global-policy global</P></PRE><P>Only HTTP traffic is affected, FTP still goes at the full 10Mb/s up and !0MB/s down.</P><P></P><P>When I disable the above service policy rule, everything goes fast again.</P><P></P><P>If anyone can help or provide any insight here it would be greatly appreciated.</P><P></P><P>Thanks,</P><P>Matt</P> Mon, 11 Mar 2019 19:18:29 GMT mjacobsecaq 2019-03-11T19:18:29Z https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505340#M615551 <P>Hiyas,</P><P></P><P>We recently purchased an ASA 5510 and i'm having a slight problem configuring it.</P><P></P><P>When I enable the following (just default traffic inspection), download speed drops to ~ 3Mb/s from &gt; 10Mb/s.</P><P></P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code"><P>class-map global-class<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map global-policy<BR /> class global-class<BR />&nbsp; inspect ctiqbe<BR />&nbsp; inspect rsh<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect ftp<BR />&nbsp; inspect http<BR />&nbsp; inspect sip<BR />&nbsp; inspect icmp error<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect netbios<BR />&nbsp; inspect icmp<BR />&nbsp; inspect ils<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect skinny<BR />&nbsp; inspect tftp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect pptp<BR />&nbsp; inspect dns<BR />&nbsp; inspect mgcp<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect snmp<BR />!<BR />service-policy global-policy global</P></PRE><P>Only HTTP traffic is affected, FTP still goes at the full 10Mb/s up and !0MB/s down.</P><P></P><P>When I disable the above service policy rule, everything goes fast again.</P><P></P><P>If anyone can help or provide any insight here it would be greatly appreciated.</P><P></P><P>Thanks,</P><P>Matt</P> Mon, 11 Mar 2019 19:18:29 GMT https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505340#M615551 mjacobsecaq 2019-03-11T19:18:29Z https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505341#M615552 <HTML><HEAD></HEAD><BODY><P>When you enable the inspection for HTTP, that will slow down the HTTP traffic a little because it is performing deep packet inspection for HTTP traffic.</P><P>For more details on what "inspect http" does, please check the following command reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782</A></P><P></P><P>You can temporarily disable only the HTTP inspection from the global policy map as follows:</P><P></P><P>policy-map global-policy</P><P>&nbsp;&nbsp;&nbsp;&nbsp; class global-class</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no inspect http</P><P></P><P>The above will disable just the HTTP inspection, and you can check the speed.</P><P></P><P>For more security, you would need to enable the http inspection, however, with security as it needs to inspect the packet in more details, it will impact the performance/speed.</P><P></P><P>Hope that answers your question.</P></BODY></HTML> Mon, 06 Dec 2010 06:57:22 GMT https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505341#M615552 Jennifer Halim 2010-12-06T06:57:22Z https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505342#M615553 <HTML><HEAD></HEAD><BODY><P>Thanks for your answer Jennifer.</P><P></P><P>I assumed this would be the case, but a 70% reduction in throughput just seemed a little high to me.</P><P></P><P>Thanks again,</P><P>Matt</P></BODY></HTML> Thu, 09 Dec 2010 06:46:01 GMT https://community.cisco.com/t5/network-security/slow-inbound-http-fast-outbound-http-asa5510/m-p/1505342#M615553 mjacobsecaq 2010-12-09T06:46:01Z