03-10-2015 05:46 AM - edited 03-11-2019 10:37 PM
Hello, as the title states, I have an ASA 5505 at one facility that is only getting around 16mb down on a 100mb circuit. No errors on either interface, and we've tried manually setting port speed and duplex, and auto, (both sides show it negotiating at 100 / full).
Here is the sanitized config:
: Saved
: Written by mlsysadmin at 05:43:12.139 CST Fri Mar 6 2015
!
ASA Version 8.2(5)
!
hostname fw01
domain-name domain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name x.x.x.x WindStream-External-3100
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address WindStream-External-3100 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name materialogic.com
same-security-traffic permit intra-interface
object-group network obj-SrcNet
object-group network obj-amzn
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list outside_access_in extended permit ip x.x.x.x 255.255.255.248 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list outside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list outside_access_in extended permit tcp interface outside 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip any 10.10.0.0 255.255.0.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.2.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list amzn-filter extended permit ip 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list amzn-filter extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
access-list amzn-filter extended permit ip any any
access-list <outside_access_in> extended permit ip host 54.240.217.164 host WindStream-External-3100
access-list <outside_access_in> extended permit ip host 72.21.209.193 host WindStream-External-3100
access-list inside_mpc extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list NORAND extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip any 10.10.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit tcp 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl-amzn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 40.139.91.233 1
route inside 172.16.2.0 255.255.255.0 172.16.5.1 1
route inside 172.16.3.0 255.255.255.0 172.16.5.1 1
route inside 172.16.4.0 255.255.255.0 172.16.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 1440
http 192.168.1.0 255.255.255.0 inside
http 172.16.0.0 255.255.0.0 inside
http 216.43.24.82 255.255.255.255 outside
http 64.199.141.26 255.255.255.255 outside
snmp-server host inside 10.10.10.20 community mlogic
snmp-server location 3100 Communications room
no snmp-server contact
snmp-server community mlogic
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 1387
sla monitor 1
type echo protocol ipIcmpEcho 10.10.0.1 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 54.240.217.164 72.21.209.193
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs
crypto map <amzn_vpn_map> 1 set peer 54.240.217.164 72.21.209.193
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
crypto map <amzn_vpn_map> interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.171.120.36 source outside
webvpn
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
username mlsysadmin password E9OpTNVP3nVbSPSb encrypted privilege 15
username mlsysadmin attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc
password-storage disable
group-lock none
tunnel-group 54.240.217.164 type ipsec-l2l
tunnel-group 54.240.217.164 general-attributes
default-group-policy filter
tunnel-group 54.240.217.164 ipsec-attributes
pre-shared-key IySxccNmUch6G3dVSgEwBjjGX7bOAcO3
isakmp keepalive threshold 10 retry 3
tunnel-group 72.21.209.193 type ipsec-l2l
tunnel-group 72.21.209.193 general-attributes
default-group-policy filter
tunnel-group 72.21.209.193 ipsec-attributes
pre-shared-key vy.pOkCV01pEtmxe.QNk96xK6Uo_2tD.
isakmp keepalive threshold 10 retry 3
!
class-map NORAND
match access-list inside_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map NORAND
class NORAND
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
policy-map TRAFFIC_SHAPING
class class-default
shape average 100000000
!
service-policy global_policy global
service-policy NORAND interface inside
service-policy TRAFFIC_SHAPING interface outside
smtp-server 206.225.164.242
prompt hostname context
no call-home reporting anonymous
: end
Here are show interface command outputs:
fw01# show interface ethernet 0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address fc5b.397f.dbd5, MTU not set
IP address unassigned
23888810 packets input, 6278082364 bytes, 0 no buffer
Received 7728 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
35886 switch ingress policy drops
42947220 packets output, 57958727970 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
fw01# show interface ethernet 0/1
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address fc5b.397f.dbd6, MTU not set
IP address unassigned
59448427 packets input, 58925402473 bytes, 0 no buffer
Received 547758 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
58718 switch ingress policy drops
37419921 packets output, 8188660665 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
When we connect a laptop to the router directly, we are able to get the expected speeds. When we connect through the ASA, download speed is topping out around 16mb, while upload is a consistent 75mb+
03-11-2015 12:57 AM
Have you tried running without the "service-policy TRAFFIC_SHAPING interface outside" ? Just to check.
03-11-2015 05:42 AM
Yes, we get the same performance with or without it.
08-06-2015 02:26 AM
Hey,
I have a similar issue. What was your fix?
I have been going round and round on debugs and I can't seem to work out the issue.
Cheers,
Satnam
08-06-2015 09:54 AM
It ended up being an issue with the ISP router, once it was replaced we were able to use the full bandwidth on the circuit.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide