ASA 5505 8.2(1) - Poor WAN connection speed

jgeorge · ‎04-27-2011

To sum it up the ASA is maxing out at 7MB down on a 25MB connection. The connection was tested with the ASA removed and the connection is fine.

This popped out at me the most but i'm not sure what it means:

12884935775 switch ingress policy drops for eth 0/0

ciscoasa# show interface

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 192.192.192.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

60970690 packets input, 13913244351 bytes

58976961 packets output, 51852996074 bytes

11661619 packets dropped

1 minute input rate 73 pkts/sec, 17085 bytes/sec

1 minute output rate 77 pkts/sec, 58339 bytes/sec

1 minute drop rate, 4 pkts/sec

5 minute input rate 184 pkts/sec, 71247 bytes/sec

5 minute output rate 140 pkts/sec, 100504 bytes/sec

5 minute drop rate, 4 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 64.132.143.181, subnet mask 255.255.255.240

Traffic Statistics for "outside":

59393878 packets input, 55428940778 bytes

49439745 packets output, 11588292732 bytes

671362 packets dropped

1 minute input rate 70 pkts/sec, 57386 bytes/sec

1 minute output rate 62 pkts/sec, 15718 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 131 pkts/sec, 99810 bytes/sec

5 minute output rate 174 pkts/sec, 70422 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Vlan12 "Guest1", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 10.0.0.254, subnet mask 255.255.255.0

Traffic Statistics for "Guest1":

25319316 packets input, 3816960570 bytes

3983553 packets output, 3862554401 bytes

20598136 packets dropped

1 minute input rate 6 pkts/sec, 698 bytes/sec

1 minute output rate 0 pkts/sec, 136 bytes/sec

1 minute drop rate, 4 pkts/sec

5 minute input rate 6 pkts/sec, 674 bytes/sec

5 minute output rate 0 pkts/sec, 101 bytes/sec

5 minute drop rate, 4 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5b7, MTU not set

IP address unassigned

59625610 packets input, 56589417802 bytes, 0 no buffer

Received 121934 broadcasts, 0 runts, 0 giants

205101 input errors, 205101 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

12884935775 switch ingress policy drops

49439776 packets output, 12647462703 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0025.84ba.a5b8, MTU not set

IP address unassigned

27929 packets input, 2231730 bytes, 0 no buffer

Received 1401 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

1215 switch ingress policy drops

4146822 packets output, 691162685 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/2 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5b9, MTU not set

IP address unassigned

108154469 packets input, 20904268305 bytes, 0 no buffer

Received 17076444 broadcasts, 0 runts, 0 giants

150631 input errors, 1 CRC, 0 frame, 150629 overrun, 0 ignored, 0 abort

0 L2 decode drops

12884961778 switch ingress policy drops

99512019 packets output, 57258966359 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/3 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5ba, MTU not set

IP address unassigned

53107701 packets input, 7048981307 bytes, 0 no buffer

Received 25152462 broadcasts, 0 runts, 0 giants

75668 input errors, 0 CRC, 0 frame, 75667 overrun, 0 ignored, 0 abort

0 L2 decode drops

17179903698 switch ingress policy drops

44326368 packets output, 4312679805 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/5 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5bc, MTU not set

IP address unassigned

192436 packets input, 20479294 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

8589967618 switch ingress policy drops

39213895 packets output, 6080350462 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/6 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5bd, MTU not set

IP address unassigned

3121302 packets input, 498409602 bytes, 0 no buffer

Received 235583 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

8589969007 switch ingress policy drops

42570272 packets output, 9835351746 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

mirober2 · ‎04-27-2011

Hi Jason,

Is Ethernet0/0 the port that connects to the Internet? If so, there are a large number of CRC errors on that interface:

205101 input errors, 205101 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

This is usually caused by a speed/duplex mismatch. The settings should match whatever is set on the device the ASA connects to. Try changing the speed and duplex to auto and then do 'clear interface' to reset the error counters:

interface e0/0

speed auto

duplex auto

clear interface

Hope that helps.

-Mike

jgeorge · ‎04-27-2011

Thanks for pointing that out. I forgot to mention at one point for troublshooting I tried to chage the interface speed and I belive that is where the CRC errors are coming from. I cleared the stats and since then no more CRC errors are being viewed. The issue is still there but the CRC were caused by earlier troublshooting.

Maykol Rojas · ‎04-27-2011

Hello,

Would you please paste your running configuration? I want to know if you have any of the following things:

HTTP filter options

HTTP inspection

QoS configured

SSC card involved

Also, are you connected directly to the ASA? Can you try to download a file directly connected to the Internet router and then do the same when connected behind the ASA firewall?

If you are able to do that test, please start wireshark when doing the download, then when connected behind the firewall, please start a packet capture when doing the same download on the inside and outside interface of the firewall, so we can analyze the Input/Output rates.

Cheers

Mike

jgeorge · ‎04-28-2011

I only have remote access to the ASA currently but I will get all the information I can till I can get physical access. Connected directly to the ISP modem the speed is 20Mb down connected directly the ASA the speed is aorund 7MB down.

Below is the new show interface that had the stats cleared last night and let run till this morning.

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 192.192.192.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

1699136 packets input, 365889334 bytes

1582846 packets output, 1330972492 bytes

255633 packets dropped

1 minute input rate 192 pkts/sec, 18512 bytes/sec

1 minute output rate 255 pkts/sec, 309449 bytes/sec

1 minute drop rate, 4 pkts/sec

5 minute input rate 44 pkts/sec, 8631 bytes/sec

5 minute output rate 41 pkts/sec, 25659 bytes/sec

5 minute drop rate, 4 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 64.132.143.181, subnet mask 255.255.255.240

Traffic Statistics for "outside":

1705308 packets input, 1348744583 bytes

1671154 packets output, 745037104 bytes

20975 packets dropped

1 minute input rate 252 pkts/sec, 310646 bytes/sec

1 minute output rate 206 pkts/sec, 19326 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 37 pkts/sec, 25546 bytes/sec

5 minute output rate 36 pkts/sec, 8173 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Vlan12 "Guest1", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address 0025.84ba.a5bf, MTU 1500

IP address 10.0.0.254, subnet mask 255.255.255.0

Traffic Statistics for "Guest1":

640441 packets input, 451206607 bytes

235123 packets output, 22489484 bytes

255533 packets dropped

1 minute input rate 5 pkts/sec, 569 bytes/sec

1 minute output rate 0 pkts/sec, 36 bytes/sec

1 minute drop rate, 4 pkts/sec

5 minute input rate 5 pkts/sec, 630 bytes/sec

5 minute output rate 0 pkts/sec, 137 bytes/sec

5 minute drop rate, 4 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5b7, MTU not set

IP address unassigned

1715924 packets input, 1387217073 bytes, 0 no buffer

Received 3079 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

6170 switch ingress policy drops

1674502 packets output, 780669552 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is down, line protocol is down

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 0025.84ba.a5b8, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/2 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5b9, MTU not set

IP address unassigned

1799538 packets input, 413345564 bytes, 0 no buffer

Received 320388 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

446 switch ingress policy drops

1586035 packets output, 1364705821 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/3 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5ba, MTU not set

IP address unassigned

399454 packets input, 50953863 bytes, 0 no buffer

Received 300177 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

1247 switch ingress policy drops

32731 packets output, 3812121 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/4 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5bb, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

419587 packets output, 53105944 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/5 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5bc, MTU not set

IP address unassigned

7231 packets input, 770618 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

6199 switch ingress policy drops

420466 packets output, 52963068 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/6 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5bd, MTU not set

IP address unassigned

346535 packets input, 425288639 bytes, 0 no buffer

Received 17359 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

6202 switch ingress policy drops

630532 packets output, 78303975 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/7 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 0025.84ba.a5be, MTU not set

IP address unassigned

5578 packets input, 425978 bytes, 0 no buffer

Received 2457 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

420710 packets output, 53253787 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Below is the running-config:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password x

passwd x encrypted

names

name 192.192.192.6 A-192.192.192.6 description Buffalo Terastation

!

interface Vlan1

nameif inside

security-level 100

ip address 192.192.192.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.x.x.181 255.255.255.240

!

interface Vlan12

nameif Guest1

security-level 50

ip address 10.0.0.254 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 12

!

interface Ethernet0/4

switchport access vlan 12

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

switchport access vlan 12

!

interface Ethernet0/7

switchport access vlan 12

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

port-object eq 3389

object-group service UDP4500 udp

description UDP4500

port-object eq 4500

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq imap4

port-object eq smtp

access-list inside_access_in extended permit tcp host 192.192.192.3 any eq smtp

access-list inside_access_in extended permit tcp host 192.192.192.5 any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp host 192.192.192.12 any eq smtp

access-list inside_access_in extended permit tcp host A-192.192.192.6 any eq ftp

access-list outside_access_in extended permit tcp any host 64.x.x.179 eq www

access-list outside_access_in extended permit udp any any eq ntp

access-list outside_access_in extended permit tcp any host 64.x.x.179 eq https

access-list outside_access_in extended permit tcp any host 64.x.x.179 object-group RDP

access-list outside_access_in extended permit tcp any host 64.x.x.179 eq 3390 log disable

access-list outside_access_in extended permit tcp any host 64.x.x.178 eq smtp

access-list outside_access_in extended permit tcp any host 64.x.x.180 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit udp any host 64.x.x.185 eq isakmp

access-list outside_access_in extended permit udp any host 64.x.x.185 object-group UDP4500

access-list outside_access_in extended permit esp any host 64.x.x.185

access-list outside_access_in extended permit tcp any host 64.x.x.179 eq ftp

access-list outside_access_in extended permit tcp any host 64.x.x.179 eq ftp-data

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.192.192.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.192.192.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list Guest1_access_in extended permit ip any any

pager lines 20

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging host inside 192.192.192.5

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu Guest1 1500

ip local pool VPN_POOL 192.168.10.100-192.168.10.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 64.x.x.185 netmask 255.0.0.0

global (outside) 3 64.x.x.178 netmask 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 3 192.192.192.5 255.255.255.255

nat (inside) 2 192.192.192.12 255.255.255.255

nat (inside) 1 172.20.10.0 255.255.255.0

nat (inside) 1 192.192.192.0 255.255.255.0

nat (Guest1) 1 10.0.0.0 255.255.255.0

static (inside,outside) tcp 64.x.x.179 www 192.192.192.5 www netmask 255.255.255.255

static (inside,outside) udp interface ntp 192.192.192.5 ntp netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.179 https 192.192.192.5 https netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.179 3389 192.192.192.5 3389 netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.179 3390 192.192.192.27 3389 netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.178 smtp 192.192.192.3 smtp netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.179 ftp A-192.192.192.6 ftp netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.179 ftp-data A-192.192.192.6 ftp-data netmask 255.255.255.255

static (inside,outside) udp 64.x.x.185 isakmp 192.192.192.12 isakmp netmask 255.255.255.255

static (inside,outside) udp 64.x.x.185 4500 192.192.192.12 4500 netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.180 https 192.192.192.37 https netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.180 www 192.192.192.37 www netmask 255.255.255.255

static (inside,outside) tcp 64.x.x.180 smtp 192.192.192.37 smtp netmask 255.255.255.255

static (inside,Guest1) 64.x.x.179 192.192.192.5 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group Guest1_access_in in interface Guest1

route outside 0.0.0.0 0.0.0.0 64.x.x.177 1

route inside 172.20.10.0 255.255.255.0 192.192.192.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.192.192.226

key srdh228

radius-common-pw srdh228

url-server (inside) vendor websense host 192.192.192.23 timeout 10 protocol UDP version 4

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.192.192.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set L2TP esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.192.192.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.100-10.0.0.200 Guest1

dhcpd dns 216.136.95.2 interface Guest1

dhcpd enable Guest1

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.192.192.5

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value lan.tuggleduggins.com

username cisco password x encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_POOL

authentication-server-group RADIUS

default-group-policy DefaultRAGroup

strip-realm

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns

inspect icmp

inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5ed15c9e53bbb3a6d23e4b2d5d9c17ba

: end

asdm location A-192.192.192.6 255.255.255.255 inside

asdm location 64.x.x.180 255.255.255.255 inside

no asdm history enable

Maykol Rojas · ‎04-28-2011

Hello,

Ok, let me know when you have time to do the things physically, meantime, is there a possibility to add a filter URL except for a host and then that you try to do the test again from the host you did the except?

Mike

jgeorge · ‎05-02-2011

In regards to:

url-server (inside) vendor websense host 192.192.192.23 timeout 10 protocol UDP version 4

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

I removed filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

so

no filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

after this was done the speed went from 5Mb down 2Mb Up to 19Mb down 6Mb up.

Could anyone explain why this was slowing down WAN connection?