Solved: Re: Connection timeouts on ASA 5505

bachma0507 · ‎02-16-2011

We recently got a 10 meg dedicated internet fiber connection installed. I connected it to a PIX 501 firewall and everything worked fine (I tested it for a couple of weeks). A couple of days ago I got a new ASA 5505 and replaced the PIX with this device. It works, but every so often there seems to be a timeout when surfing the web whereby I click on a link and there is up to a 45 second wait and then the page loads quickly. I was not getting this before on the PIX so I'm assuming it's not a latency issue with the connection. I am the only one using this connection on the network so it's not to say that it's being bogged down. It's driving me crazy! I want to roll this out to the other users on the network but not when this is happening. Can someone point me in the right direction? The configuration is below:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name mycompany.com

enable password tdkuTUSh53d2MT6B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.26.0.252 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address zz.xx.yyy.253 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name mycompany.com

access-list MC_Split_Tunnel_List remark The corporate network behind the ASA

access-list MC_Split_Tunnel_List standard permit 172.26.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp any any eq 4500

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit tcp any host zz.xx.yyy.251 eq ftp

access-list inside_outbound_nat0_acl extended permit ip any 172.26.5.192 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN_POOL 172.26.6.1-172.26.6.100 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) zz.xx.yyy.251 172.26.5.9 netmask 255.255.255.255

static (inside,outside) zz.xx.yyy.244 172.26.0.136 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 zz.xx.yyy.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 172.26.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy VPNPOL1 internal

group-policy VPNPOL1 attributes

dns-server value 172.26.0.250 172.26.0.251

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value MC_Split_Tunnel_List

address-pools value VPN_POOL

username bjulien password bhKBinDUWhYqGbP4 encrypted

username bjulien attributes

vpn-group-policy VPNPOL1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ed6fd7d8535120634dfb59217a295c26

: end

PAUL GILBERT ARIAS · ‎02-17-2011

Your asa interface e0/0 shows half duplex that seems to be your issue.

You can change it using the following commans:

int e0/0

duplex full

speed 100

The device that you have connected to this interface should also have the same settings.

Sent from Cisco Technical Support iPhone App

View solution in original post

PAUL GILBERT ARIAS · ‎02-16-2011

How are your interfaces settings? 100 full?

Try disabling threat detection using the command:

no threat-detection basic-threat

that might be causing some issues. If you don't want to disable it completely just remove the following lines:

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Sent from Cisco Technical Support iPhone App

bachma0507 · ‎02-17-2011

All interfaces are set to auto.

I disabled the threat detection. Let me see if that helps. Thanks!

PAUL GILBERT ARIAS · ‎02-17-2011

ok, set to auto but what are the setting negotiated? do a show interface and check the physical interfaces.

Let me know how things work.

bachma0507 · ‎02-17-2011

The show interface output is below. I disabled threat detection and the the connection was working well for the past few hours until about 5 minutes ago, when the timing out delays started once again. I would gladly go back to the PIX, however, it only has a 10 user license and internet connectivity through the PIX seems to be a little slower than the ASA 5505 which has an unlimited user license. I bought a 50 user upgrade for the PIX but when I tried to activate it online, it says it cannot find the PIX serial number. I called Cisco Support, and they were able to find the serial in their records but the activation still said cannot find the serial number. Cisco Licensing Support is now handling the support case. Even when I am able to finally upgrade the user licenses on the PIX, I am hesitant to use it because of the slowness. I really need the ASA to work. Thanks for all your help.

SHOW INTERFACE OUTPUT

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 000000000, MTU 1500

IP address 172.26.0.252, subnet mask 255.255.0.0

Traffic Statistics for "inside":

32874148 packets input, 42566284217 bytes

17716087 packets output, 2130191314 bytes

717349 packets dropped

1 minute input rate 13 pkts/sec, 1251 bytes/sec

1 minute output rate 14 pkts/sec, 3006 bytes/sec

1 minute drop rate, 2 pkts/sec

5 minute input rate 342 pkts/sec, 473414 bytes/sec

5 minute output rate 188 pkts/sec, 8879 bytes/sec

5 minute drop rate, 2 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 00000000, MTU 1500

IP address zz.xx.yyy.aaa, subnet mask 255.255.255.240

Traffic Statistics for "outside":

17631945 packets input, 2088968709 bytes

30773743 packets output, 42375079649 bytes

2331 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 63 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 188 pkts/sec, 8879 bytes/sec

5 minute output rate 337 pkts/sec, 472819 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0000000, MTU not set

IP address unassigned

17635405 packets input, 2490698444 bytes, 0 no buffer

Received 4495 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

2518 switch ingress policy drops

30754836 packets output, 42922459626 bytes, 0 underruns

403173 output errors, 317098 collisions, 0 interface resets

0 late collisions, 16506 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0000000, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/2 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0000000, MTU not set

IP address unassigned

1391268 packets input, 171193162 bytes, 0 no buffer

Received 1140677 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

47420 packets output, 40507712 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/3 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 00000000, MTU not set

IP address unassigned

31294332 packets input, 42661930417 bytes, 0 no buffer

Received 755120 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

17359091 packets output, 2338880870 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/4 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 000000000, MTU not set

IP address unassigned

551810 packets input, 396891089 bytes, 0 no buffer

Received 148561 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

296211 packets output, 147710772 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/5 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 000000000, MTU not set

IP address unassigned

16173 packets input, 1782898 bytes, 0 no buffer

Received 3944 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

17263 packets output, 7730039 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/6 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 000000000, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/7 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 00000000, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

bachma0507 · ‎02-17-2011

I connected back the PIX and everything is working again with no timeout delays. The speed is fine so it was perhaps my imagination about its slower speed compared to the ASA 5505. In any case, I want to continue to troubleshoot the ASA to figure out what's causing the delays.

PAUL GILBERT ARIAS · ‎02-17-2011

Your asa interface e0/0 shows half duplex that seems to be your issue.

You can change it using the following commans:

int e0/0

duplex full

speed 100

The device that you have connected to this interface should also have the same settings.

Sent from Cisco Technical Support iPhone App

bachma0507 · ‎02-18-2011

Ok, I'll make the changes and do additional testing. thanks!

bachma0507 · ‎02-28-2011

That did it! Thanks a bunch!