Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2165
Views
0
Helpful
2
Replies

ASA 5515 - Intermittent ping latency on ASA interfaces and through the ASA

rsjordan00
Level 1
Level 1

‎08-18-2015 03:03 PM - edited ‎03-11-2019 11:27 PM

I recently noticed intermittent latency when pinging my ASA's interfaces. I see the same latency when pinging hosts through the ASA.

For instance, when I ping the ASA's interface on my local network, 172.16.0.1, I normally see 1ms RTT, but every once in a while, I'll see several hundred ms RTT. I would average it around 1 high RTT every 15-20 pings.

I see the same behavior when I ping devices through the ASA (from an "inside" host to a "dmz" or "outside" host). The high RTT times seem to happen at the same time when I run concurrent pings to the ASA interface and through the ASA to a host on another network.

I don't believe this is due to congestion anywhere else because all devices are on the same switch and I never see this problem when pinging between two hosts on the same local network.

I checked basic performance metrics on the ASA such as CPU, memory and interface utilization and I don't see anything out of the ordinary. I am running ICMP inspection to allow ICMP responses when internal hosts send ping requests but I temporarily disabled it and still saw the same intermittent latency.

I'm not really sure where else I can look. I don't have reason to believe this is causing performance issues but it is causing a lot of false alarms in our monitoring system which uses ping RTT to measure latency. The monitoring system was recently put in so I'm not sure how long this issue has been going on.

4 people had this problem
Labels:
0 Helpful
2 Replies 2

joseoroz
Cisco Employee
Cisco Employee

‎08-18-2015 03:48 PM

Hello rsjordan00,

As far as the latency when you ping the ASA. You can create a capture on the device and you are going to see the request and replies. You can also download the capture on pcap and compare the time that the packet was received and the reply.

Same thing with the pings across the firewall. You will have to gather both inbound and outbound traffic then compare the turn around times and that is the way to determine the latency added by the firewall. 

Other than the cpu memory and indicator of a problem could be the interface errors like overruns and underruns and CRC errors. 

Kind regards,

Jose Orozco.

0 Helpful

rsjordan00
Level 1
Level 1
In response to joseoroz

‎08-20-2015 08:35 AM

Thanks for the suggestions. I ran a capture on the firewall it does not reflect the high response times I'm seeing in my ping output. I checked the switchport interfaces where the packets travel across and didn't see any interface errors. I think I might try to setup another interface on the firewall and connect a host directly to the firewall and see if I still see the same issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card