ASA 5505 Upload Speed

lhaynes · ‎09-08-2010

I presently have 50mbps of metro-e internet connectivity. I have verified the throughput by directly connecting my laptop and running a Speedtest.net Mini test hosted by my ISP, which yields approximately 50mbps up and down. Howerver, when pushing traffic through an ASA 5505 with a near factory configuration, while my download speed is perfectly acceptable, the upload test only yields approximately 15mbps.

I have verified the speed and duplex settings match on each end, 100 Full (I yield the same results with auto). Below are interface details followed by the a very simplistic configuration that I have reverted to for testing. Any help would be greatly appreciated.

*(inside)* Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.75e0.a325, MTU not set
        IP address unassigned
        548 packets input, 39677 bytes, 0 no buffer
        Received 471 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1 switch ingress policy drops
        55 packets output, 9514 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops

*(outside)* Interface Ethernet0/5 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address c84c.75e0.a32a, MTU not set
        IP address unassigned
        20178 packets input, 17289482 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        84 switch ingress policy drops
        18573 packets output, 18671251 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops

: Saved

!
ASA Version 8.3(1)
!
hostname temp
enable password <REMOVED> encrypted
passwd <REMOVED> encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.XXX.XXX 255.255.0.0
!
interface Vlan2
nameif outside
security-level 100
ip address 207.XXX.XXX.XXX 255.XXX.XXX.XXX
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.XXX.XXX.XXX 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b0c8c156954acb434daa2e69ccf3cbb
: end

mirober2 · ‎09-08-2010

Hi Lee,

Is the client you are testing with directly connected to the inside interface of the ASA, or are there other devices between the client and the ASA? If you haven't done so already, try directly connecting the client to a free port on the ASA.

Also, try checking to see if the ASA is dropping any packets during the speed test. You can clear the drop counters with 'clear asp drop', then start the speed test, then monitor the output of 'show asp drop' and see if any of the counters are incrementing during the test.

-Mike

lhaynes · ‎09-08-2010

Hey Mike,

Thanks for taking the time to reply. Per your suggestion, I connected the laptop directly to the ASA, so that leaves only the uplink on eth0/5 and the laptop on eth0/1.

I cleared the counters and left the laptop idle for several minutes. After the idle period, the following counters had incremented:

Frame drop:
Flow is denied by configured rule (acl-drop) 3
Slowpath security checks failed (sp-security-failed) 67

Results after the bandwidth test with the previous counters intact:

Frame drop:
Flow is denied by configured rule (acl-drop) 3
Slowpath security checks failed (sp-security-failed) 78

I double-checked the interfaces for errors again but none were returned.

-Lee

mirober2 · ‎09-08-2010

Hi Lee,

Try setting up an ASP drop capture to see if the packets being dropped are related to the speed test. This is done with the 'capture drop type asp-drop all' command.

Once the capture is configured, repeat the speed test and check the output of 'show capture drop'. This will show you all the packets dropped by the ASA and you can check to see if they are related to the speed test traffic.

-Mike

lhaynes · ‎09-08-2010

Hey Mike,

After configuring the capture and running the bandwidth test, nothing related was logged. In fact, after several tests, I only observed sp-security-failed entries, which were being generated by NetBIOS lookups from the laptop.

Thanks again for your assistance and patience with the matter.

-Lee

mirober2 · ‎09-08-2010

Hi Lee,

As a next step I would setup bi-directional, simultaneous packet captures on both the ingress and egress interfaces of the ASA. Those may provide some insight into why the traffic is slowing down.

Here is a guide that explains how to setup packet captures on the ASA and download them to view in Wireshark:

https://supportforums.cisco.com/docs/DOC-1222

-Mike

lhaynes · ‎09-08-2010

Hey Mike,

I performed the capture while performing the download and upload portions bandwidth test, but I do not see anything that really stands out to me. The capture is attached if you would not mind giving it a quick look.

-Lee

Gentry · ‎02-17-2011

Lee, were you able to find anything on your upload speed issue? I am experiencing the same problem with a 5510.

ccboeadmin · ‎02-18-2011

Hi Troy,

In the end, it turned out that my issue was related to a faulty Speedtest Mini server. Performing tests with iperf revealed that I was getting a full 50mbps. I hope this helps.

Maykol Rojas · ‎02-18-2011

Hi Lee,

Thanks a lot for publishing that answer, Troy, if you are having a similar issue, please do the same test as Lee did. The packet capture helps a lot, I wouldnt matter to analyze them, however, please check the following prior doing the packet capture...

-Make sure that the interfaces that connect to the inside and outside are hardcoded

-Make sure that the other devices connected to the ASA are hardcoded as well

-Make sure that there is no bottle neck on the ASA (Meaning an interface running at 100 and the other one at 1000)

-Replace cables if possible

-Connect a computer direclty to the ISP router/modem and perform the same test and compare them with the ones behind the ASA

-Gather a packet capture doing an upload to the internet while connected directly to the ASA

-Gather a simultaneous packet capture while connected direclty to the ASA on the following places

-Computer

-Inside of the firewall

-Outside of the firewall

Once you have this information and the steps done, paste the captures over here, I would take a look at them.

Cheers

Mike

finalconnect · ‎02-24-2011

All - we have had this problem on almost every ASA5505 we have installed. We have to fix both the WAN side connection (e0/0 typical) and the

LAN side connection port (e0/1 typical) to the same exact speed/duplex settings or we have speed limitations on the upload side. When we fix both ports to Full/100, the speed received matches the speed quoted by the provider. If we leave it as auto/auto, we have lower upload speeds.

Just from our experience.

Thanks.