ASA 5505 PPPOE traffic statistic doubled between inside / outside

Julien Potier · ‎03-13-2013

Hi guys,

I've an ASA 5505 connecting to a vdsl modem. The ASA is doing the PPPoE encapsulation. I've noticed the traffic amount on the outside interface is always twice the bandwidth it receives on its inside interface. I can't believe the PPP encapsulation is taking that much. Only two interfaces (inside and outside)

MTU on the outside is the same as the inside.

Any thoughts ?

Cheers,

jocamare · ‎03-13-2013

Of how much bandwidth are we talking about?

Is the ASA dropping packets? Many packets?

julomban · ‎03-13-2013

Hi Julien,

This is not normal and you need to check if you have a "permit ip any any" rule or anything that is allowing inbound traffic.

Could you please share the configuration of your ASA?

Regards,

Juan Lombana

Julien Potier · ‎03-13-2013

Well it does it regardless the amount of traffic going through the appliance (from few kbps to 10-20Mbps). I initially noticed it while using a P2P application. There is always a lot of udp denied packets but difficult to say how much. I would be surprised if it's the only reason. Secondly I've since tried with a normale http transfer of a large file. It does the same, no packet deny. So for example traffic on inside is 10656 Kbps traffic on outside is 21223kbps. Xlate shows 22 connections, Conn shows 29. Firewall is running 8.2.5

outside access list is the implicit deny all

Nothing to exciting in the config. I use the asa for home broadband and testing/training

ASA Version 8.2(5)

!

hostname Fortknox2

domain-name ****.****.org

enable password ****** encrypted

passwd ******* encrypted

names

name 192.168.0.250 Kurp

name 192.168.0.30 Laptop-192.168.0.30

name 192.168.0.253 AAA-Authentication-proxy

name 192.168.0.26 Hilda_0022.fb55.8de0

name 192.168.0.16 Chris_b482.fe5d.ef62

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

description Inside

!

interface Ethernet0/2

description Outside

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoe-dsl-grp

ip address pppoe setroute

!

regex mail-uri "^\/mail\/"

regex mail "mail\.google\.com"

regex morePorn "porn\.[a-zA-Z]*\.com"

regex facebook "^[w]{3}\.faceb[o]{1,}k\.com"

regex porn "porn\.com"

!

time-range in-hours

periodic weekdays 17:00 to 23:59

periodic weekdays 0:00 to 1:00

periodic weekend 0:00 to 23:59

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BST recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name ****.****.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Global-inside

description Global Dynamic Hide NAT inside to outside

object-group network Kurp-PC

object-group network Inside_Net-192.168.0.0

object-group service Bittorent udp

port-object range 1024 65535

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq 8880

port-object eq 9443

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_4 tcp

port-object eq www

port-object eq https

access-list inside_access_in extended permit udp any any eq domain

access-list inside_access_in extended permit tcp host Laptop-192.168.0.30 host AAA-Authentication-proxy object-group DM_INLINE_TCP_2 inactive

access-list inside_access_in extended deny tcp host Laptop-192.168.0.30 any object-group DM_INLINE_TCP_1 inactive

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit udp any any eq ntp

access-list inside_access_in remark Auto all

access-list inside_access_in extended permit ip any any

access-list AAA-network-auth extended permit tcp host Kurp any object-group DM_INLINE_TCP_4 inactive

access-list AAA-network-auth extended permit tcp host Laptop-192.168.0.30 any object-group DM_INLINE_TCP_3 inactive

access-list AAA-network-auth extended deny ip any any inactive

pager lines 24

logging enable

logging list No_Logging message 305011

logging list No_Logging message 302014-302016

logging list No_Logging message 302013

logging list No_Logging message 106014

logging asdm-buffer-size 256

logging asdm notifications

logging mail critical

logging message 106014 level informational

mtu inside 1492

mtu outside 1492

ip verify reverse-path interface inside

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 10 burst-size 3

icmp permit any inside

icmp permit host ***.***.52.1 outside

icmp deny any outside

asdm image disk0:/asdm-649-103.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.0.0 255.255.255.0

access-group inside_access_in in interface inside

timeout xlate 0:30:00

timeout conn 0:30:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:10:00 absolute uauth 0:03:00 inactivity

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

mac-list aaa_mac_exempt permit 90e6.ba15.5718 ffff.ffff.ffff

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication match AAA-network-auth inside LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

aaa proxy-limit 64

aaa mac-exempt match aaa_mac_exempt

aaa authentication secure-http-client

aaa local authentication attempts max-fail 16

aaa authentication listener http inside port 8888 redirect

aaa authentication listener https inside port 9443 redirect

http server enable

http 192.168.0.0 255.255.255.0 inside

http **.***.52.1 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

virtual http AAA-Authentication-proxy

virtual telnet AAA-Authentication-proxy

auth-prompt prompt !!! Authorized personel only !!!!

auth-prompt accept Ahh Freeman !

auth-prompt reject Degage connard !!!

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint KURP-CA-Trustpoint

enrollment url http://192.168.0.252:80/CertSrv/mscep/certnew

crl configure

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh **.***.52.1 255.255.255.255 outside

ssh timeout 60

console timeout 10

vpdn group pppoe-dsl-grp request dialout pppoe

vpdn group pppoe-dsl-grp localname ***@***.com

vpdn group pppoe-dsl-grp ppp authentication chap

vpdn username ***@***.com password *****

dhcpd ping_timeout 100

!

dhcpd address 192.168.0.10-192.168.0.200 inside

dhcpd dns 213.120.234.66 213.120.234.74 interface inside

dhcpd lease 86400 interface inside

dhcpd ping_timeout 100 interface inside

dhcpd enable inside

!

priority-queue outside

no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 25 burst-rate 50

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics host number-of-rate 3

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter enable

dynamic-filter drop blacklist

dynamic-filter whitelist

name stream2watch.me

address 88.80.13.254 255.255.255.255

name i.sportlemon.tv

name www.sportlemon.tv

name sportlemon.tv

ntp server 64.90.182.55 source outside prefer

ntp server 64.113.32.5 source outside

ntp server 131.107.13.100 source outside prefer

ssl server-version tlsv1-only

webvpn

port 9443

enable inside

enable outside

anyconnect-essentials

tunnel-group-list enable

username *** password *** encrypted privilege 0

username kurp password *** encrypted privilege 15

tunnel-group DefaultRAGroup webvpn-attributes

group-alias DefaultRA enable

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias DefaultWebVPN enable

!

class-map type regex match-any productivity-sites

match regex facebook

class-map type regex match-any porn-sites

match regex porn

match regex morePorn

class-map type inspect http match-all HTTP-URI-inspect

match request args regex mail

match not request uri regex mail-uri

class-map type inspect http match-all asdm_medium_security_methods

match not request method head

match not request method post

match not request method get

class-map type inspect http match-any HTTP-URL-inspect

match request args regex class porn-sites

match request args regex class productivity-sites

class-map AIC-inspect-ALL

match default-inspection-traffic

!

policy-map type inspect im IM-logging

parameters

match protocol msn-im yahoo-im

log

policy-map type inspect http Http-inspect-medium

parameters

protocol-violation action drop-connection log

class asdm_medium_security_methods

drop-connection

policy-map type inspect http HTTP-inspect-pmap

parameters

class HTTP-URL-inspect

drop-connection log

class HTTP-URI-inspect

drop-connection

policy-map global-policy

class AIC-inspect-ALL

inspect dns dynamic-filter-snoop

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http Http-inspect-medium

inspect icmp

inspect icmp error

inspect mgcp

inspect pptp

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect tftp

inspect ipsec-pass-thru

!

service-policy global-policy global

smtp-server 173.194.67.108 173.194.64.109

privilege cmd level 3 mode exec command perfmon

privilege cmd level 5 mode exec command dir

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege cmd level 3 mode exec command packet-tracer

privilege cmd level 5 mode exec command export

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b0f643d0118f17086762dfe1864268f1

jocamare · ‎03-13-2013

There are some things that are happening on the outside but not on the inside.

NTP

Smart CallHome

There are also things that happen in both but probably not in the same way all the time.

SSH

ASDM

My point is that you might be seeing a normal behavior of the ASA.

This is what i would do to confirm it:

Clear all the connections, including the ones that go to the ASA. Use the "clear local all" command for that.

If possible, i would connect to the device using a console cable so i won't generate traffic on the inside.

I would monitor the interface utilization on the outside, the inside counters should increment a little bit in case there is still some traffic. This without traffic flowing across.

Then capture all the traffic on my outside interface for a short period of time.

After that, i would run a simple ICMP test to the internet [4.2.2.2] and check the interface stats again.

Finally, i packet capture for all the ICMP traffic going to the internet [4.2.2.2] on both interfaces in order to compare the amount of traffic captured on both sides.

This should tell you if what you are seeing might be considered as normal or not, also, will show you if there is a problem of any sort.

lennartki · ‎11-28-2014

I've got the same thing going on. Were you ever able to solve this?

ASA Version: 9.2(2)4

ASDM Version: 7.3(1)101

Coutinho10 · ‎07-31-2017

We have the same issue on our ASA 5506-X (and previously also on our ASA 5505):

Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)

It does not seem to indicate a problem, but rather some small bug.

monster · ‎12-27-2017

I've noticed the same problem.
Any solutions?