cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8023
Views
0
Helpful
10
Replies

ASA 5505 Slow internet

JaydGonz480
Level 1
Level 1

Hi,

This is my setup:

Comcast 100/10

ASA 5505

190 Wirelss Devices

40 Wire computers

I am expiriencing websites timeouts and very slow to browse the internet. I notice it always gets slow when the number of xlates and connection goes above 1100.

What i have done is to limit the upload speed to 256 kbps to the wireless devices to isolate the problem of using to much upload bandwith, but still the problem continues. I even limit the download speed to 2mbp per host and nothing. So i think is not bandwith related. Comcast technician have already checked their modem and it seem good. Speed test show 100mb down 10 up.

Previously i was running a pfsense as my firewall and the same issue happen, everytime the states connection went above 3000 the internet was imposible to use. I found out the there were host the were creating to many connection, some cases they reach 400,300,200 etc. I was reading and they say the is better to limit the number of connection states per host to avoide congestion. I have replace the pfsense for an ASA 5505 Security Plus and limit the number of connection per host to 150 to see if that solve the problem, but is not.

Here is my config

show runn

: Saved

:

ASA Version 9.1(3)

!

hostname STMACS-ASA

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd XXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.10.8 255.255.255.0

!

interface Vlan2

nameif COMCAST

security-level 0

ip address x.x.x.x 255.255.255.252

!

boot system disk0:/asa913-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Net-10.1.10.0

subnet 10.1.10.0 255.255.255.0

object network Net-172.16.0.0

subnet 172.16.0.0 255.255.0.0

object network Host-172.16.20.10-RDP

host 172.16.20.10

description SERVER

object service RDP

service tcp destination eq 3389

access-list COMCAST_access_in extended permit object RDP any object Host-172.16.20.10-RDP

pager lines 24

logging asdm informational

mtu inside 1500

mtu COMCAST 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network Net-10.1.10.0

nat (inside,COMCAST) dynamic interface

object network Net-172.16.0.0

nat (inside,COMCAST) dynamic interface

object network Host-172.16.20.10-RDP

nat (inside,COMCAST) static interface service tcp 3389 3389

access-group COMCAST_access_in in interface COMCAST

route COMCAST 0.0.0.0 0.0.0.0 X.X.X.X 1

route inside 172.16.0.0 255.255.0.0 10.1.10.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.1.10.0 255.255.255.0 inside

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

  quit

telnet timeout 5

ssh 10.1.10.0 255.255.255.0 inside

ssh 172.16.0.0 255.255.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config COMCAST

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username XXXX password XXXXXXXXXX encrypted privilege 15

!

class-map CONNS

match any

!

!

policy-map CONNS

class CONNS

  set connection embryonic-conn-max 1000 per-client-max 150 per-client-embryonic-max 100

!

service-policy CONNS global

prompt hostname context

call-home reporting anonymous

: end

ASASTAT.png

Show conn count

769 in use, 1883 most used

Show xlate count

976 in use, 2506 most used

Any help or tip will be appriciated. Thanks

1 Accepted Solution

Accepted Solutions

Hello,

The bottom line, threat-detection or netflow collector indicate the same, since you want to maintain the flows through the ASA the questions would be, do you need a bigger pipe from your ISP or are you just not going to allow the traffic through or have a third part device manage flows through the ASA.

Either way the ASA by itself won't resolve your issue.

As indicated in a past post:

The ASA cannot do a per flow limit, I suggest always to do this on a Cisco device that has more intelligence in that matter and also web filtering with third party product that can work in conjunction with the ASA (Websense,N2H2, bla, bla, bla) to allow or permit website in your work area.

Please mark the ticket as answered.

Value our effort and rate the assistance!

View solution in original post

10 Replies 10

jumora
Level 7
Level 7

Hello,

Although speedtest.net is not the best way to review speed throughput on the ASA can you tell me how much you are getting on that webpage and what is the speed that your ISP gave you.

Also, please remove the service-policy that you currently have setup.

Over ASDM view you should be able to see top talkers on your network and top protocols, you can even check it via bytes as to current connections through the device.

It would be best to have a show tech instead of a show config to review interface stats.

Sometimes just going into baby step mode is the best way, just connect one PC to the ASA 5505 and check if throughput is that bad and then start adding up by connecting the rest of the network, but this is only if this is a possibility.

Value our effort and rate the assistance!

My ISP Speed is 100 down and 10 up. The speed test from the asa gives me 91 down 10 up. Also i've removed the service-policy. Here are the top services

Here is the show tech

------------------ show interface ------------------

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address c067.afdb.afa3, MTU not set

        IP address unassigned

        12907995 packets input, 16541095117 bytes, 0 no buffer

        Received 151 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        259 switch ingress policy drops

        5864705 packets output, 1106304927 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

  Control Point Interface States:

        Interface number is 3

        Interface config status is active

        Interface state is active

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address c067.afdb.afa4, MTU not set

        IP address unassigned

        6024477 packets input, 1124197917 bytes, 0 no buffer

        Received 45680 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        2388 switch ingress policy drops

        12906779 packets output, 16555840377 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

  Control Point Interface States:

        Interface number is 4

        Interface config status is active

        Interface state is active

Interface Ethernet0/2 "", is down, line protocol is down

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex, Auto-Speed

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address c067.afdb.afa5, MTU not set

        IP address unassigned

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        0 switch ingress policy drops

        0 packets output, 0 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

  Control Point Interface States:

        Interface number is 5

        Interface config status is active

        Interface state is active

Interface Internal-Data0/0 "", is up, line protocol is up

  Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec

        (Full-duplex), (1000 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        MAC address c067.afdb.afab, MTU not set

        IP address unassigned

        18910653 packets input, 17754340124 bytes, 0 no buffer

        Received 46134 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops, 0 demux drops

        18787562 packets output, 17745903917 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops, 0 tx hangs

        input queue (blocks free curr/low): hardware (512/487)

        output queue (blocks free curr/low): hardware (510/429)

  Control Point Interface States:

        Interface number is 2

        Interface config status is active

        Interface state is active

Interface Internal-Data0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec

        (Full-duplex), (1000 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        MAC address 0000.0003.0002, MTU not set

        IP address unassigned

        18784210 packets input, 17742973544 bytes, 0 no buffer

        Received 102 broadcasts, 0 runts, 0 giants

        210 input errors, 0 CRC, 0 frame, 210 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 switch ingress policy drops

        18907398 packets output, 17751419731 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

  Control Point Interface States:

        Interface number is 11

        Interface config status is active

        Interface state is active

Interface Vlan1 "inside", is up, line protocol is up

  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

        MAC address c067.afdb.afab, MTU 1500

        IP address 10.1.10.8, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        5987790 packets input, 999935763 bytes

        12917395 packets output, 16336804076 bytes

        84044 packets dropped

      1 minute input rate 146 pkts/sec,  10922 bytes/sec

      1 minute output rate 306 pkts/sec,  397086 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 165 pkts/sec,  12985 bytes/sec

      5 minute output rate 344 pkts/sec,  447850 bytes/sec

      5 minute drop rate, 1 pkts/sec

  Control Point Interface States:

        Interface number is 14

        Interface config status is active

        Interface state is active

Interface Vlan2 "COMCAST", is up, line protocol is up

  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

        MAC address c067.afdb.afab, MTU 1500

        IP address X.X.X.X, subnet mask 255.255.255.252

  Traffic Statistics for "COMCAST":

        12923535 packets input, 16327309861 bytes

        5870790 packets output, 992175169 bytes

        66629 packets dropped

      1 minute input rate 295 pkts/sec,  396134 bytes/sec

      1 minute output rate 137 pkts/sec,  10231 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 345 pkts/sec,  447907 bytes/sec

      5 minute output rate 163 pkts/sec,  12844 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

        Interface number is 15

        Interface config status is active

        Interface state is active

Interface Virtual0 "_internal_loopback", is up, line protocol is up

  Hardware is Virtual   MAC address 0000.0000.0000, MTU 1500

        IP address 127.1.0.1, subnet mask 255.255.0.0

  Traffic Statistics for "_internal_loopback":

        1 packets input, 28 bytes

        1 packets output, 28 bytes

        1 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

        Interface number is 12

        Interface config status is active

        Interface state is active

------------------ show traffic ------------------

inside:

        received (in 23578.080 secs):

                5998983 packets 1001079453 bytes

                72 pkts/sec     42093 bytes/sec

        transmitted (in 23578.080 secs):

                12945311 packets        16371763678 bytes

                2 pkts/sec      694181 bytes/sec

      1 minute input rate 142 pkts/sec,  9805 bytes/sec

      1 minute output rate 370 pkts/sec,  472948 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 165 pkts/sec,  12985 bytes/sec

      5 minute output rate 344 pkts/sec,  447850 bytes/sec

      5 minute drop rate, 1 pkts/sec

COMCAST:

        received (in 23579.350 secs):

                12950564 packets        16363265539 bytes

                2 pkts/sec      693055 bytes/sec

        transmitted (in 23579.350 secs):

                5881145 packets 993245555 bytes

                67 pkts/sec     42123 bytes/sec

      1 minute input rate 353 pkts/sec,  471468 bytes/sec

      1 minute output rate 130 pkts/sec,  8893 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 345 pkts/sec,  447907 bytes/sec

      5 minute output rate 163 pkts/sec,  12844 bytes/sec

      5 minute drop rate, 0 pkts/sec

----------------------------------------

Aggregated Traffic on Physical Interface

----------------------------------------

Ethernet0/0:

        received (in 23581.160 secs):

                12947346 packets        16593842001 bytes

                2 pkts/sec      703144 bytes/sec

        transmitted (in 23581.160 secs):

                5879797 packets 1108095565 bytes

                67 pkts/sec     46080 bytes/sec

      1 minute input rate 346 pkts/sec,  468181 bytes/sec

      1 minute output rate 128 pkts/sec,  11754 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 345 pkts/sec,  454766 bytes/sec

      5 minute output rate 163 pkts/sec,  16321 bytes/sec

      5 minute drop rate, 0 pkts/sec

Ethernet0/1:

        received (in 23581.950 secs):

                6041560 packets 1126191691 bytes

                74 pkts/sec     47027 bytes/sec

        transmitted (in 23581.950 secs):

                12948994 packets        16608970221 bytes

                2 pkts/sec      704126 bytes/sec

      1 minute input rate 143 pkts/sec,  13159 bytes/sec

      1 minute output rate 368 pkts/sec,  476771 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 167 pkts/sec,  16616 bytes/sec

      5 minute output rate 344 pkts/sec,  454689 bytes/sec

      5 minute drop rate, 0 pkts/sec

------------------ show perfmon ------------------

PERFMON STATS:                     Current      Average

Xlates                                2/s          8/s

Connections                           2/s          8/s

TCP Conns                             1/s          6/s

UDP Conns                             0/s          2/s

URL Access                            0/s          0/s

URL Server Req                        0/s          0/s

TCP Fixup                             0/s          0/s

TCP Intercept Established Conns       0/s          0/s

TCP Intercept Attempts                0/s          0/s

TCP Embryonic Conns Timeout           0/s          0/s

HTTP Fixup                            0/s          0/s

FTP Fixup                             0/s          0/s

AAA Authen                            0/s          0/s

AAA Author                            0/s          0/s

AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average

                                       N/A         62.67%

------------------ show counters ------------------

Protocol     Counter                             Value   Context

IP           IN_PKTS                              6698   Summary

IP           OUT_PKTS                              849   Summary

IP           TO_ARP                               5714   Summary

IP           TO_UDP                                240   Summary

IP           TO_ICMP                               744   Summary

UDP          IN_PKTS                               240   Summary

UDP          OUT_PKTS                                8   Summary

UDP          DROP_NO_APP                           162   Summary

ICMP         IN_PKTS                               744   Summary

ICMP         OUT_PKTS                                4   Summary

SSLERR       BAD_AUTHENTICATION_TYPE                 9   Summary

SSLERR       BAD_SIGNATURE                          11   Summary

SSLERR       SSLV3_ALERT_BAD_CERTIFICATE             8   Summary

SSLALERT     RX_CLOSE_NOTIFY                        12   Summary

SSLALERT     RX_BAD_CERTIFICATE                      8   Summary

SSLALERT     RX_FATAL_ALERT                          8   Summary

SSLALERT     RX_WARNING_ALERT                       12   Summary

SSLALERT     TX_CLOSE_NOTIFY                       166   Summary

SSLALERT     TX_WARNING_ALERT                      166   Summary

SSLDEV       NEW_CTX                                 1   Summary

SSL_NP       OPEN_CONN                               1   Summary

SSL_NP       HANDSHAKE_START                       195   Summary

SSL_NP       HANDSHAKE_DONE                        181   Summary

SSL_NP       DOWNSTREAM_CLOSE                      649   Summary

SSL_NP       DOWNSTREAM_CLOSE_NEXT                 195   Summary

SSL_NP       UPSTREAM_CLOSE                        221   Summary

SSL_NP       UPSTREAM_CLOSE_NEXT                   195   Summary

SSL_NP       FREE_CONN                             195   Summary

SSL_NP       NEW_CONN_SERVER                       195   Summary

SSL_NP       IN_PKTS_RX                            814   Summary

SSL_NP       IN_PKTS_TX                            217   Summary

SSL_NP       OUT_PKTS_RX                         21598   Summary

SSL_NP       OUT_PKTS_TX                         21975   Summary

SSL_NP       SESSIONS_CLEARED                        8   Summary

EmWeb        IN_PKTS                                 3   Summary

EmWeb        OUT_PKTS                               12   Summary

NPSHIM       CTX_ALLOC                             172   Summary

NPSHIM       CTX_FREE                              169   Summary

NPSHIM       WRITE_UNBLOCKED                      2372   Summary

NPSHIM       READ_RECV                            3910   Summary

VPIF         BAD_VALUE                               1   Summary

VPIF         NOT_FOUND                           49661   Summary

SSLENC       CONTEXT_CREATED                       195   Summary

SSLENC       CONTEXT_UPDATED                        30   Summary

SSLENC       CONTEXT_DESTROYED                     195   Summary

CRYPTO       INVALID_INPUT_PARAM                   195   Summary

Yeah, interfaces are clear so check top talkers, you already know that the main port protocol in use is TCP/80 so know we need to see top talkers over this port+protocol and check byte count when you see the performance issue, in most cases video streaming.

Value our effort and rate the assistance!

I installed a Netflow anylazer and found out the WWW port 80 accounts for 98% of the traffic. I see alot of high dowloads coming from the Ipads. These are some of the destinations:

Destination IP

d3-5-1-1-11-0.a03.nycmny01.us.ra.verio.net (165.254.204.169)

Source Port - 57981  Destination Port 80

a23-33-187-107.deploy.static.akamaitechnologies.com (23.33.187.107)

Those two destination are always downloading i try to google it but cannot find what application they are.

Can I distribute the bandwith evently per host, or QoS or traffic shaping? When all the traffic is WWW/80

Hello,

Well what you could do is actually determine whether that traffic is really important on the network and afterwards police it so it does not consume the rest of the bandwitdh,

Great approach with the netflow analizer, good job! 50 % of the work is done,

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

So, for the time being the ASA has an option that you can shun connections trying to be established to that site.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1525925

The ASA cannot do a per flow limit, I suggest always to do this on a Cisco device that has more intelligence in that matter and also web filtering with third party product that can work in conjunction with the ASA (Websense,N2H2, bla, bla, bla) to allow or permit website in your work area.

Value our effort and rate the assistance!

Can you please reply if your issue is already resolved and if the information given on this forum helped you out?

Value our effort and rate the assistance!

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

Hi jumora,

I am still having issues with the internet been to slow. After analyzing the traffic graph, almost all the traffic is HTTP port 80, coming from akamai which is a content distribution network and i cannot block it because is been use by microsoft, apple and other big names for faster access to their content,windows updates, software updates etc.

I have 110 Ipads and is always ramdom ipads using alot of bandwith coming from those sites.These ipads are the ones killing my bandwith even though all the ipads are limites to 2Mb/128K an still are able to max out my internet connection. I believe is the IOS 7. I am going to implement a squid server  for caching and test it, to see the difference.  Thank you for your help.  We can close this thread , and if i have any more question i'll be glad to ask.

Hello,

The bottom line, threat-detection or netflow collector indicate the same, since you want to maintain the flows through the ASA the questions would be, do you need a bigger pipe from your ISP or are you just not going to allow the traffic through or have a third part device manage flows through the ASA.

Either way the ASA by itself won't resolve your issue.

As indicated in a past post:

The ASA cannot do a per flow limit, I suggest always to do this on a Cisco device that has more intelligence in that matter and also web filtering with third party product that can work in conjunction with the ASA (Websense,N2H2, bla, bla, bla) to allow or permit website in your work area.

Please mark the ticket as answered.

Value our effort and rate the assistance!
Review Cisco Networking for a $25 gift card