08-11-2013 11:31 PM - edited 03-11-2019 07:24 PM
Hey all,
got the following problem:
We got a new ASA 5512 (9.1(2)). Since using the new ASA RDP over VPN is slow as hell. Furthermore we are hosting services for our customers at our local site. The customers access their servies via https and they report slow connections as well.
What I could determine:
- RAM and CPU usage is OK
- Internet connection is not working to capacity
- Accessed servers are fine
With our old PIX we didn't have these problems.
What can I do to narrow the things down? Do you need further information?
Thank you in advance.
Solved! Go to Solution.
08-12-2013 05:00 AM
Hi,
Theres a problem with your "outside" interface.
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
Its on Auto/Auto settings and has negotiated 10Mbps/Half Duplex
Check the connection/settings between ASA and the device connected to WAN.
- Jouni
08-12-2013 12:46 AM
Hi,
I would go through the ASAs interfaces so that there is no errors and problems with Duplex.
If there is no problem with the actual physical interfaces then I guess you could capture traffic on either the hosts or on the ASA and go through the traffic capture to see if there is any clear indication of the cause of the problem.
If you are sending ASA logs to a Syslog server then I would also go through the syslogs to see if there is anything special related to these connections.
- Jouni
08-12-2013 04:38 AM
Are you using the cisco vpn client / anyconnect?
Keep in mind that you got two problem, could be related to duplex/speed mismatich like JouniForss is reffering to.
08-12-2013 04:58 AM
Hello Sander, Hello JouniForss,
thank your for your answers.
There should be no duplex/speed problems:
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
Input flow control is unsupported, output flow control is off
Description: outside
MAC address 7cad.746f.0643, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.252
44690985 packets input, 14246179318 bytes, 0 no buffer
Received 24 broadcasts, 0 runts, 0 giants
29 input errors, 0 CRC, 0 frame, 29 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
36677961 packets output, 30273069571 bytes, 688 underruns
0 pause output, 0 resume output
0 output errors, 762873 collisions, 1 interface resets
3584466 late collisions, 3893361 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (493/415)
output queue (blocks free curr/low): hardware (508/0)
Traffic Statistics for "outside":
44690833 packets input, 13414186271 bytes
40263115 packets output, 34063912416 bytes
1273840 packets dropped
1 minute input rate 192 pkts/sec, 173728 bytes/sec
1 minute output rate 128 pkts/sec, 65991 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 166 pkts/sec, 104644 bytes/sec
5 minute output rate 140 pkts/sec, 97204 bytes/sec
5 minute drop rate, 1 pkts/sec
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: inside
MAC address 7cad.746f.0640, MTU 1500
IP address 192.168.x.x, subnet mask 255.255.255.0
273517054 packets input, 33507078716 bytes, 0 no buffer
Received 1853084 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
505155136 packets output, 673862376054 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
4 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (462/414)
output queue (blocks free curr/low): hardware (500/414)
Traffic Statistics for "inside":
273517049 packets input, 27143885172 bytes
505155136 packets output, 664727704962 bytes
384747 packets dropped
1 minute input rate 47 pkts/sec, 11867 bytes/sec
1 minute output rate 65 pkts/sec, 43224 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 91 pkts/sec, 28339 bytes/sec
5 minute output rate 119 pkts/sec, 105353 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/2 "DMZ", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: DMZ
MAC address 7cad.746f.0644, MTU 1500
IP address 192.168.x.x, subnet mask 255.255.255.0
526650415 packets input, 699849187640 bytes, 0 no buffer
Received 218607 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
293676989 packets output, 36082728609 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/432)
output queue (blocks free curr/low): hardware (508/425)
Traffic Statistics for "DMZ":
523567643 packets input, 687409385731 bytes
293676989 packets output, 29375410165 bytes
5136626 packets dropped
1 minute input rate 86 pkts/sec, 87216 bytes/sec
1 minute output rate 76 pkts/sec, 7567 bytes/sec
1 minute drop rate, 18 pkts/sec
5 minute input rate 86 pkts/sec, 81140 bytes/sec
5 minute output rate 75 pkts/sec, 6688 bytes/sec
5 minute drop rate, 16 pkts/sec
I'm using the cisco vpn client (5.0.07)
08-12-2013 05:00 AM
Hi,
Theres a problem with your "outside" interface.
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
Its on Auto/Auto settings and has negotiated 10Mbps/Half Duplex
Check the connection/settings between ASA and the device connected to WAN.
- Jouni
08-12-2013 05:33 AM
Hey JouniForss,
wow, I totally missed this :/
Should be enough to set this to full and 100 Mbps?
08-12-2013 05:40 AM
Hi,
Can you check/set the settings on the device connected to the "outside" port of the ASA also?
I guess it would be good to manually set the speed/duplex settings on the devices.
- Jouni
08-12-2013 05:43 AM
The other device is a router from our provider. It's not possible to see anything or to configure things on this device :/
I will try to set the duplex/speed settings manuall today in the evening and will report back tomorrow .
Thanks again to you both.
08-13-2013 11:29 PM
Hi,
Were you able to get this problem solved by changing the physical port settings?
- Jouni
08-13-2013 11:33 PM
Sorry for my late answer.
Indeed it's working fine now. Thanks for seeing my missed missconfiguration
08-13-2013 11:36 PM
Hi,
Good to hear its working now
- Jouni
08-12-2013 05:39 AM
Depends on your switch side. Please post the configuration
- show run interface fast 1/0/X
and the
- shwo interface fast 1/0/x
09-07-2017 12:01 AM
Hello,
I have same problem after ASA 5585-X update (from version asa963-1-smp-k8.bin to asa982-smp-k8.bin). I`m tryed downgrade software and problem was disappeared. I think that the problem with inspections maps or something else…
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide