Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
5
Helpful
1
Replies

ASA5545 is not allowing us to connect at 1GB for internet

rickcorriveau
Level 1
Level 1

‎09-18-2019 04:52 PM

We recently installed a new 1GB internet circuit.   When we connect directly to the router we average 900 to 950MB.   When we connect the router to the outside interface of the firewall and test internet connectivity we our average speed is anywhere from 300 to 500mb TOPS.   Is there some bandwidth throttling happening behind the scenes?

 

FYI, this firewall is strictly for internet access.  There are no VPNs configured so it's not like it's fighting with other internet hungry services.

 

 

Thank you in advance.

 

Labels:
0 Helpful
1 Reply 1

zachrhart@gmail.com
Level 1
Level 1

‎09-19-2019 06:11 AM

Hello rickcorriveau,

thanks for posting to the forums! I'd be happy to help you if I can.

So I can tell you that I run a 5550 out of my home network and get about 950mbps consistently, so there should be zero appreciable difference between plugging straight into the ISP and going through the firewall. That being said, there are a few things to check.

Did you configure the 5545 through the CLI or use ASDM? If you used ASDM, you can check the live logs in the application. If you only have CLI access it's no problem, but my first recommendation would be to turn on logging with the commands

logging buffered 7

logging enable

and then run some traffic through the firewall and do a spot check of the logs with

show logging

or

show logging asdm

You may also (before or after that) run

clear asp drop (then run some traffic)

show asp drop

These commands will give you an idea of if you're dealing with any serious packet drops, and you can work on next steps to sort out the packet drop issue.

If it doesn't look like your device is dropping any packets, make sure that you've wired your internal and external networks into two separate modules on the back of the device (it should have 2 rows of 5 Ethernet ports--each row is for either the inside or outside network. Placing both networks in the same row of modules can seriously degrade performance).

Last thing I'd check is how the device is connected to the ISPs hardware. Are you subject to firewall rules from the ISP gateway? I can tell you that last time I wired up an ASA the performance was horribly degraded because my ASA was overwhelming the ISP gateway with burst traffic and resulting in 40%ish packet loss--basically it was trying to process the traffic from my ASA as though it were a node and not a gateway device. If you have access to the providers gateway (presumably there's a demark on premises) you can dial in and put your down device in the unfiltered category, or you may need to call the provider and ask them to put you in pass through mode to give you a straight line to their POP router (I know AT&T calls this "DMZ+ mode"..... because I was on a call with a Tier I technician for about 2 hours until she could finally figure out what I was asking for... she also made sure to tell me how foolish I was for not knowing that IP Bridge or IP Passthrough mode on my gateway would be called DMZ+ and is an ATT proprietary protocol.... I digress).

If you've verified that you're wired into two different modules, you aren't getting severe ASP drops, and you aren't suffering packet loss from the providers gateway post back up and I'll see what else I can come up with to help you out. But those are the usual culprits.

Good luck!

Please remember to rate/mark this post if it's been helpful to you.

Thanks!

-Zac

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card