cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

438
Views
0
Helpful
4
Replies
georgeeye
Beginner

ASA 5505 Slow download speed

Hello, as the title states, I have an ASA 5505 at one facility that is only getting around 16mb down on a 100mb circuit. No errors on either interface, and we've tried manually setting port speed and duplex, and auto, (both sides show it negotiating at 100 / full).

 

Here is the sanitized config:

 

: Saved
: Written by mlsysadmin at 05:43:12.139 CST Fri Mar 6 2015
!
ASA Version 8.2(5) 
!
hostname fw01
domain-name domain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name x.x.x.x WindStream-External-3100
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.5.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address WindStream-External-3100 255.255.255.248 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name materialogic.com
same-security-traffic permit intra-interface
object-group network obj-SrcNet
object-group network obj-amzn
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any any 
access-list inside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0 
access-list outside_access_in extended permit ip x.x.x.x 255.255.255.248 172.16.5.0 255.255.255.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list outside_access_in extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0 
access-list outside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0 
access-list outside_access_in extended permit tcp interface outside 172.16.5.0 255.255.255.0 
access-list acl-amzn extended permit ip any 10.10.0.0 255.255.0.0 
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0 
access-list acl-amzn extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list acl-amzn extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list acl-amzn extended permit ip 172.16.2.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.0 
access-list amzn-filter extended permit ip 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0 
access-list amzn-filter extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0 
access-list amzn-filter extended permit ip any any 
access-list <outside_access_in> extended permit ip host 54.240.217.164 host WindStream-External-3100 
access-list <outside_access_in> extended permit ip host 72.21.209.193 host WindStream-External-3100 
access-list inside_mpc extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list NORAND extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list outside_cryptomap extended permit ip any 10.10.0.0 255.255.0.0 
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit tcp 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl-amzn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 40.139.91.233 1
route inside 172.16.2.0 255.255.255.0 172.16.5.1 1
route inside 172.16.3.0 255.255.255.0 172.16.5.1 1
route inside 172.16.4.0 255.255.255.0 172.16.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http server idle-timeout 1440
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.0.0 inside
http 216.43.24.82 255.255.255.255 outside
http 64.199.141.26 255.255.255.255 outside
snmp-server host inside 10.10.10.20 community mlogic
snmp-server location 3100 Communications room
no snmp-server contact
snmp-server community mlogic
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 1387
sla monitor 1
 type echo protocol ipIcmpEcho 10.10.0.1 interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs 
crypto map amzn_vpn_map 1 set peer 54.240.217.164 72.21.209.193 
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs 
crypto map <amzn_vpn_map> 1 set peer 54.240.217.164 72.21.209.193 
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
crypto map <amzn_vpn_map> interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.171.120.36 source outside
webvpn
group-policy filter internal
group-policy filter attributes
 vpn-filter value amzn-filter
username mlsysadmin password E9OpTNVP3nVbSPSb encrypted privilege 15
username mlsysadmin attributes
 vpn-group-policy DfltGrpPolicy
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 ipv6-vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 password-storage disable
 group-lock none
tunnel-group 54.240.217.164 type ipsec-l2l
tunnel-group 54.240.217.164 general-attributes
 default-group-policy filter
tunnel-group 54.240.217.164 ipsec-attributes
 pre-shared-key IySxccNmUch6G3dVSgEwBjjGX7bOAcO3
 isakmp keepalive threshold 10 retry 3
tunnel-group 72.21.209.193 type ipsec-l2l
tunnel-group 72.21.209.193 general-attributes
 default-group-policy filter
tunnel-group 72.21.209.193 ipsec-attributes
 pre-shared-key vy.pOkCV01pEtmxe.QNk96xK6Uo_2tD.
 isakmp keepalive threshold 10 retry 3
!
class-map NORAND
 match access-list inside_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map NORAND
 class NORAND
  set connection random-sequence-number disable
  set connection advanced-options tcp-state-bypass
policy-map TRAFFIC_SHAPING
 class class-default
  shape average 100000000
!
service-policy global_policy global
service-policy NORAND interface inside
service-policy TRAFFIC_SHAPING interface outside
smtp-server 206.225.164.242
prompt hostname context 
no call-home reporting anonymous
: end

 

Here are show interface command outputs:

fw01# show interface ethernet 0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address fc5b.397f.dbd5, MTU not set
        IP address unassigned
        23888810 packets input, 6278082364 bytes, 0 no buffer
        Received 7728 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        35886 switch ingress policy drops
        42947220 packets output, 57958727970 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

 

fw01# show interface ethernet 0/1
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address fc5b.397f.dbd6, MTU not set
        IP address unassigned
        59448427 packets input, 58925402473 bytes, 0 no buffer
        Received 547758 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        58718 switch ingress policy drops
        37419921 packets output, 8188660665 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

 

When we connect a laptop to the router directly, we are able to get the expected speeds. When we connect through the ASA, download speed is topping out around 16mb, while upload is a consistent 75mb+

 

 

4 REPLIES 4
Jon Are Endrerud
Beginner

Have you tried running without the "service-policy TRAFFIC_SHAPING interface outside" ? Just to check.

Please rate as helpful, if that would be the case. Thanx

Yes, we get the same performance with or without it.

Hey,

I have a similar issue. What was your fix?

I have been going round and round on debugs and I can't seem to work out the issue.

Cheers,

Satnam

It ended up being an issue with the ISP router, once it was replaced we were able to use the full bandwidth on the circuit.

Content for Community-Ad