06-18-2008 03:34 AM - edited 03-11-2019 06:00 AM
Hi all. We have a following situation happening on the DMZ of our ASA 5510.We first caught the problem when one of the users notified us that transfer of files from a server in the DMZ starts OK but slows down to a crawl.We have tested the claim and have found that the same thing happening.Sometimes the transfer goes OK,sometimes it goes to a crawl(beneath 40k) and sometimes it slows down a bit but finishes in time.This mostly happens with large files.
We have further viewed the tcp dump from both sides(from the server side on the DMZ and from a host just before the ASA).Sometimes we see on the server side ACK's that come in triplicates and that server side seems to send packets in a random order.The problem only happens on the server side as the tcp dump from the host side seems OK.
We believe the problem is ASA related but we don't know what could be causing it.Any ideas?
06-18-2008 05:01 AM
try to setup "speed" "duplex" manually...
06-18-2008 05:31 AM
It's already setup like that.
06-18-2008 10:40 AM
Can you please post the output of the following
show asp drop
show interface (after sanitizing the IPs)
Regards
Farrukh
06-19-2008 12:31 AM
06-19-2008 12:49 AM
I'm afraid you will have to do the following before capturing these commands:
clear asp drop
clear interface
then initiate this slow transfer, once you finish issue the show commands previously mentioned.
Regards
Farrukh
06-19-2008 02:07 AM
06-19-2008 03:26 AM
You certainly have a lot of TCP-related errors for sure. This does not seem to be normal for such a short interval (after the clear asp drop). Duplex issue seems to be OK as there are no real errors (except a few overruns on the inside interface). You could try to make a tcp-map matching on your application flow and try to allow the following:
access-list tcpmaplist permit ip host
access-list tcpmaplist permit ip host
class-map slowbw-classmap
match access-list tcpmaplist
tcp-map netpro-map
exceed-mss allow
invalid-ack allow
queue-limit 250 timeout 20
window-variation allow
policy-map global_policy
class slowbw-classmap
set connection advanced-options netpro-map
Regards
Farrukh
06-19-2008 03:30 AM
Can you enable logging and check the tcp session like you should see "torn down" immediately else u should allow MSS option in ASA.
Farukh bhai what's ur opinios about this?
06-19-2008 03:42 AM
A better option would be to use:
capture capture_name type asp-drop all
And then see if this concerned traffic is included in the capture file.
Regards
Farrukh
06-19-2008 03:53 AM
I'll try the capture suggestion and I'll see what I get. I'll keep you posted.
06-20-2008 06:53 AM
I did a capture as suggested. I get the following messages when I enter the show capture command.
547: 16:17:12.634748 x.x.x.x.80 > y.y.y.y.35167: . 1399302031:1399303399(1368) ack 332783732 win 46
548: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303399:1399303935(536) ack 332783732 win 46
549: 16:17:12.634763 x.x.x.x.80 > y.y.y.y.35167: . 1399303935:1399305303(1368) ack 332783732 win 46
550: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399305303:1399306135(832) ack 332783732 win 46
551: 16:17:12.634778 x.x.x.x.80 > y.y.y.y.35167: . 1399306135:1399307503(1368) ack 332783732 win 46
X.X.X.X being server in the DMZ and Y.Y.Y.Y being the host on the inside.Any thoughts?
06-20-2008 07:07 AM
Did you try the following?:
access-list tcpmaplist permit ip host
access-list tcpmaplist permit ip host
class-map slowbw-classmap
match access-list tcpmaplist
tcp-map netpro-map
exceed-mss allow
invalid-ack allow
queue-limit 250 timeout 20
window-variation allow
policy-map global_policy
class slowbw-classmap
set connection advanced-options netpro-map
Regards
Farrukh
06-23-2008 12:08 AM
Hi.Sorry for the late reply but I had an emergency to resolve since I last wrote.I also have some new information.Our server admin told us that the problem might be in sliding windows when traffic goes over the ASA.He put a static window size of 2 on the server and he achieved respectable speeds.
I will try the solution you suggested as I think the window-variation allow part will help a lot.
One question though as I'm a bit new with policies on the ASA.Will this solution affect any other part of the global policy?I have some other things configured in the global policy and wouldn't want to nullify them so I want to be sure.
06-23-2008 12:57 AM
No it it will not because you will be using an ACL to restrict these actiosn two these hosts only.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide