Hi,
This is my setup:
Comcast 100/10
ASA 5505
190 Wirelss Devices
40 Wire computers
I am expiriencing websites timeouts and very slow to browse the internet. I notice it always gets slow when the number of xlates and connection goes above 1100.
What i have done is to limit the upload speed to 256 kbps to the wireless devices to isolate the problem of using to much upload bandwith, but still the problem continues. I even limit the download speed to 2mbp per host and nothing. So i think is not bandwith related. Comcast technician have already checked their modem and it seem good. Speed test show 100mb down 10 up.
Previously i was running a pfsense as my firewall and the same issue happen, everytime the states connection went above 3000 the internet was imposible to use. I found out the there were host the were creating to many connection, some cases they reach 400,300,200 etc. I was reading and they say the is better to limit the number of connection states per host to avoide congestion. I have replace the pfsense for an ASA 5505 Security Plus and limit the number of connection per host to 150 to see if that solve the problem, but is not.
Here is my config
show runn
: Saved
:
ASA Version 9.1(3)
!
hostname STMACS-ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.10.8 255.255.255.0
!
interface Vlan2
nameif COMCAST
security-level 0
ip address x.x.x.x 255.255.255.252
!
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Net-10.1.10.0
subnet 10.1.10.0 255.255.255.0
object network Net-172.16.0.0
subnet 172.16.0.0 255.255.0.0
object network Host-172.16.20.10-RDP
host 172.16.20.10
description SERVER
object service RDP
service tcp destination eq 3389
access-list COMCAST_access_in extended permit object RDP any object Host-172.16.20.10-RDP
pager lines 24
logging asdm informational
mtu inside 1500
mtu COMCAST 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Net-10.1.10.0
nat (inside,COMCAST) dynamic interface
object network Net-172.16.0.0
nat (inside,COMCAST) dynamic interface
object network Host-172.16.20.10-RDP
nat (inside,COMCAST) static interface service tcp 3389 3389
access-group COMCAST_access_in in interface COMCAST
route COMCAST 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 172.16.0.0 255.255.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.1.10.0 255.255.255.0 inside
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
quit
telnet timeout 5
ssh 10.1.10.0 255.255.255.0 inside
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config COMCAST
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username XXXX password XXXXXXXXXX encrypted privilege 15
!
class-map CONNS
match any
!
!
policy-map CONNS
class CONNS
set connection embryonic-conn-max 1000 per-client-max 150 per-client-embryonic-max 100
!
service-policy CONNS global
prompt hostname context
call-home reporting anonymous
: end
Show conn count
769 in use, 1883 most used
Show xlate count
976 in use, 2506 most used
Any help or tip will be appriciated. Thanks
Accepted Solutions
My ISP Speed is 100 down and 10 up. The speed test from the asa gives me 91 down 10 up. Also i've removed the service-policy. Here are the top services
Here is the show tech
------------------ show interface ------------------
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address c067.afdb.afa3, MTU not set
IP address unassigned
12907995 packets input, 16541095117 bytes, 0 no buffer
Received 151 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
259 switch ingress policy drops
5864705 packets output, 1106304927 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address c067.afdb.afa4, MTU not set
IP address unassigned
6024477 packets input, 1124197917 bytes, 0 no buffer
Received 45680 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
2388 switch ingress policy drops
12906779 packets output, 16555840377 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is active
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address c067.afdb.afa5, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address c067.afdb.afab, MTU not set
IP address unassigned
18910653 packets input, 17754340124 bytes, 0 no buffer
Received 46134 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops, 0 demux drops
18787562 packets output, 17745903917 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (512/487)
output queue (blocks free curr/low): hardware (510/429)
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Interface Internal-Data0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec
(Full-duplex), (1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0000.0003.0002, MTU not set
IP address unassigned
18784210 packets input, 17742973544 bytes, 0 no buffer
Received 102 broadcasts, 0 runts, 0 giants
210 input errors, 0 CRC, 0 frame, 210 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 switch ingress policy drops
18907398 packets output, 17751419731 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Control Point Interface States:
Interface number is 11
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address c067.afdb.afab, MTU 1500
IP address 10.1.10.8, subnet mask 255.255.255.0
Traffic Statistics for "inside":
5987790 packets input, 999935763 bytes
12917395 packets output, 16336804076 bytes
84044 packets dropped
1 minute input rate 146 pkts/sec, 10922 bytes/sec
1 minute output rate 306 pkts/sec, 397086 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 165 pkts/sec, 12985 bytes/sec
5 minute output rate 344 pkts/sec, 447850 bytes/sec
5 minute drop rate, 1 pkts/sec
Control Point Interface States:
Interface number is 14
Interface config status is active
Interface state is active
Interface Vlan2 "COMCAST", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address c067.afdb.afab, MTU 1500
IP address X.X.X.X, subnet mask 255.255.255.252
Traffic Statistics for "COMCAST":
12923535 packets input, 16327309861 bytes
5870790 packets output, 992175169 bytes
66629 packets dropped
1 minute input rate 295 pkts/sec, 396134 bytes/sec
1 minute output rate 137 pkts/sec, 10231 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 345 pkts/sec, 447907 bytes/sec
5 minute output rate 163 pkts/sec, 12844 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 15
Interface config status is active
Interface state is active
Interface Virtual0 "_internal_loopback", is up, line protocol is up
Hardware is Virtual MAC address 0000.0000.0000, MTU 1500
IP address 127.1.0.1, subnet mask 255.255.0.0
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 12
Interface config status is active
Interface state is active
------------------ show traffic ------------------
inside:
received (in 23578.080 secs):
5998983 packets 1001079453 bytes
72 pkts/sec 42093 bytes/sec
transmitted (in 23578.080 secs):
12945311 packets 16371763678 bytes
2 pkts/sec 694181 bytes/sec
1 minute input rate 142 pkts/sec, 9805 bytes/sec
1 minute output rate 370 pkts/sec, 472948 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 165 pkts/sec, 12985 bytes/sec
5 minute output rate 344 pkts/sec, 447850 bytes/sec
5 minute drop rate, 1 pkts/sec
COMCAST:
received (in 23579.350 secs):
12950564 packets 16363265539 bytes
2 pkts/sec 693055 bytes/sec
transmitted (in 23579.350 secs):
5881145 packets 993245555 bytes
67 pkts/sec 42123 bytes/sec
1 minute input rate 353 pkts/sec, 471468 bytes/sec
1 minute output rate 130 pkts/sec, 8893 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 345 pkts/sec, 447907 bytes/sec
5 minute output rate 163 pkts/sec, 12844 bytes/sec
5 minute drop rate, 0 pkts/sec
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0/0:
received (in 23581.160 secs):
12947346 packets 16593842001 bytes
2 pkts/sec 703144 bytes/sec
transmitted (in 23581.160 secs):
5879797 packets 1108095565 bytes
67 pkts/sec 46080 bytes/sec
1 minute input rate 346 pkts/sec, 468181 bytes/sec
1 minute output rate 128 pkts/sec, 11754 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 345 pkts/sec, 454766 bytes/sec
5 minute output rate 163 pkts/sec, 16321 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 23581.950 secs):
6041560 packets 1126191691 bytes
74 pkts/sec 47027 bytes/sec
transmitted (in 23581.950 secs):
12948994 packets 16608970221 bytes
2 pkts/sec 704126 bytes/sec
1 minute input rate 143 pkts/sec, 13159 bytes/sec
1 minute output rate 368 pkts/sec, 476771 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 167 pkts/sec, 16616 bytes/sec
5 minute output rate 344 pkts/sec, 454689 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 2/s 8/s
Connections 2/s 8/s
TCP Conns 1/s 6/s
UDP Conns 0/s 2/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 62.67%
------------------ show counters ------------------
Protocol Counter Value Context
IP IN_PKTS 6698 Summary
IP OUT_PKTS 849 Summary
IP TO_ARP 5714 Summary
IP TO_UDP 240 Summary
IP TO_ICMP 744 Summary
UDP IN_PKTS 240 Summary
UDP OUT_PKTS 8 Summary
UDP DROP_NO_APP 162 Summary
ICMP IN_PKTS 744 Summary
ICMP OUT_PKTS 4 Summary
SSLERR BAD_AUTHENTICATION_TYPE 9 Summary
SSLERR BAD_SIGNATURE 11 Summary
SSLERR SSLV3_ALERT_BAD_CERTIFICATE 8 Summary
SSLALERT RX_CLOSE_NOTIFY 12 Summary
SSLALERT RX_BAD_CERTIFICATE 8 Summary
SSLALERT RX_FATAL_ALERT 8 Summary
SSLALERT RX_WARNING_ALERT 12 Summary
SSLALERT TX_CLOSE_NOTIFY 166 Summary
SSLALERT TX_WARNING_ALERT 166 Summary
SSLDEV NEW_CTX 1 Summary
SSL_NP OPEN_CONN 1 Summary
SSL_NP HANDSHAKE_START 195 Summary
SSL_NP HANDSHAKE_DONE 181 Summary
SSL_NP DOWNSTREAM_CLOSE 649 Summary
SSL_NP DOWNSTREAM_CLOSE_NEXT 195 Summary
SSL_NP UPSTREAM_CLOSE 221 Summary
SSL_NP UPSTREAM_CLOSE_NEXT 195 Summary
SSL_NP FREE_CONN 195 Summary
SSL_NP NEW_CONN_SERVER 195 Summary
SSL_NP IN_PKTS_RX 814 Summary
SSL_NP IN_PKTS_TX 217 Summary
SSL_NP OUT_PKTS_RX 21598 Summary
SSL_NP OUT_PKTS_TX 21975 Summary
SSL_NP SESSIONS_CLEARED 8 Summary
EmWeb IN_PKTS 3 Summary
EmWeb OUT_PKTS 12 Summary
NPSHIM CTX_ALLOC 172 Summary
NPSHIM CTX_FREE 169 Summary
NPSHIM WRITE_UNBLOCKED 2372 Summary
NPSHIM READ_RECV 3910 Summary
VPIF BAD_VALUE 1 Summary
VPIF NOT_FOUND 49661 Summary
SSLENC CONTEXT_CREATED 195 Summary
SSLENC CONTEXT_UPDATED 30 Summary
SSLENC CONTEXT_DESTROYED 195 Summary
CRYPTO INVALID_INPUT_PARAM 195 Summary
