11-14-2011 10:42 AM - edited 03-11-2019 02:50 PM
I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file. What could be the problem?
11-14-2011 11:22 AM
Hi,
Do you have the Sqlnet inspection turned on the firewall? If so, remove it and try to access the DB again.
Mike Rojas
11-14-2011 01:23 PM
I will try that but inspect sqlnet is enabled under policy-map global_policy on the old 5520 running 8.0 also. Do you know if they made any changes to the sqlnet inspection in 8.1 or 8.2?
11-14-2011 01:30 PM
They do every change of versions. But we need to confirm if the inspection is actually the problem.
Mike
11-14-2011 02:20 PM
Yes, taking the sqlnet inspection out fixed the problem. But now the traffic is uninspected. Is there a rate limit or something similar which can be increased?
11-14-2011 02:37 PM
On the inspection itself? No, I dont think so. Is not that the traffic is flowing without inspection, it is being inspected, but not under RFC compliance of Sqlnet protocol.
You may be hitting this bug
CSCta27859 |
ASA 8.2.1 - Enabling inspect sqlnet adds 5 sec delays to big DB queries |
Symptom: When "inspect sqlnet" is enabled on ASA, single-connection version of SQLnet protocol experiences 5-seconds delays on big DB queries. There may be multiple delays in a single SQLnet TCP session. When inspection disabled, there are no delays. Conditions: - single-session version of SQLnet protocol is used (i.e. TCP/1521 is used both for command and data sessions) - "inspect sqlnet" is enabled on ASA Workaround: Disable sqlnet inspect. For single-session version of SQLnet protocol, disabling the inspect sqlnet does not have operational impact since there are no secondary connections that are being dynamically permitted through the firewall. |
Try going to the latest 8.2 version (8.2.5) and check if the problem persist.
Mike
11-14-2011 03:16 PM
Right. I'll get the update and scedule some downtime. I'll post what I find. Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: