12-21-2017 07:13 AM - edited 02-21-2020 07:00 AM
I'm getting about a 10th of the speed out of my new internet connection, we should be getting 1000mbps. We have swapped out media converters, and Fiber and also Ethernet patch cables. I went through 2 iperf tests with the ISP about a week apart. first test I was told it the ISPs fault and the second test the download speeds were as expected. Both of these tests were done between the media converter and my end device. So I'm back looking at my setup trying to find the speed issue. My end device is an ASA 5512x and I have several switches behind it. Media converter->ASA->2960->7 other switches. I have been over and over auto speed and auto duplex.
gw# sh asp drop
Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 120
VPN reclassify failed (vpn-reclassify-failed) 15
Unsupported IP version (unsupported-ip-version) 2
No route to host (no-route) 262
Flow is denied by configured rule (acl-drop) 421107
Invalid SPI (np-sp-invalid-spi) 2
First TCP packet not SYN (tcp-not-syn) 5643
TCP failed 3 way handshake (tcp-3whs-failed) 154
TCP RST/FIN out of order (tcp-rstfin-ooo) 2834
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 9
TCP SYNACK on established conn (tcp-synack-ooo) 2
TCP packet SEQ past window (tcp-seq-past-win) 115
TCP RST/SYN in window (tcp-rst-syn-in-win) 9
Output QoS rate exceeded (rate-exceeded) 99925
Slowpath security checks failed (sp-security-failed) 54109
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 4
DNS Inspect id not matched (inspect-dns-id-not-matched) 5
FP L2 rule drop (l2_acl) 614
Interface is down (interface-down) 6
IKE new SA limit exceeded (ike-sa-rate-limit) 49651
Last clearing: Never
Flow drop:
Tunnel has been torn down (tunnel-torn-down) 28
Need to start IKE negotiation (need-ike) 115038
VPN handle not found (vpn-handle-not-found) 10
VPN overlap conflict (vpn-overlap-conflict) 27444
Inspection failure (inspect-fail) 116
Last clearing: Never
Could it be a MTU sizing issue? maybe still an ISP mis configuration? I'm running out of things to try. Please help! Thank you
Solved! Go to Solution.
12-21-2017 08:16 AM - edited 12-21-2017 08:17 AM
Sure. The one other thing I thought of is the line you shared that mentions QoS:
Output QoS rate exceeded (rate-exceeded) 99925
Do you have a QoS policy applied?
12-21-2017 07:15 AM - edited 12-21-2017 07:41 AM
gw# sh int gi0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 80e0.1d37.9444, MTU 1500
IP address XXX.XXX.XXX.XXX, subnet mask 255.255.255.248
15210789 packets input, 12544240000 bytes, 0 no buffer
Received 23872 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
14786245 packets output, 10655490398 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
4 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (507/374)
output queue (blocks free curr/low): hardware (510/397)
Traffic Statistics for "outside":
15210749 packets input, 12260565918 bytes
14786245 packets output, 10380184370 bytes
50098 packets dropped
1 minute input rate 878 pkts/sec, 545040 bytes/sec
1 minute output rate 884 pkts/sec, 443242 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 3836 pkts/sec, 4788624 bytes/sec
5 minute output rate 1402 pkts/sec, 200796 bytes/sec
5 minute drop rate, 1 pkts/sec
12-21-2017 08:01 AM
Are you inspecting the traffic with the Firepower service module?
12-21-2017 08:02 AM
Thank you for the response, but no we are not using IPS at this site.
12-21-2017 08:16 AM - edited 12-21-2017 08:17 AM
Sure. The one other thing I thought of is the line you shared that mentions QoS:
Output QoS rate exceeded (rate-exceeded) 99925
Do you have a QoS policy applied?
12-21-2017 08:25 AM - edited 12-21-2017 08:26 AM
I think you're on to something. It looks like the traffic is being policed
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map qos-class-policy
class udp-traffic-class
priority
class voice-class
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
policy-map qos-outside-policy
class class-default
police output 99614500
!
service-policy global_policy global
service-policy qos-outside-policy interface outside
I just removed the line "service-policy qos-outside-policy interface outside" and speeds are better, but its off and on right now. ran 3 speed tests one at 100mbps another at 820mbps and the last one back down to 157mbps
(this is an old config that most likely needs to be wiped and reconfigured at some point)
12-21-2017 08:37 AM
Thank you, Marvin
I think that solved it. its slightly all over the place right now, but that is probably due to this speed test not being 100% accurate and also everyone being on it at once.
12-21-2017 08:43 AM
You’re welcome. I’m glad that fixed it.
Plus now you know that the traffic policer works just fine.
Thanks for rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide