Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
0
Helpful
2
Replies

ASA 5520 intervlan routing at low speed

Srakandaev
Level 1
Level 1

‎11-25-2011 05:54 AM - edited ‎03-11-2019 02:55 PM

I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...

ASA Version 8.4(2)

!

hostname ***

domain-name ***

enable password *** encrypted

passwd *** encrypted

multicast-routing

names

dns-guard

!

interface GigabitEthernet0/0

nameif DMZ

security-level 50

ip address 10.2.5.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

no ip address

!

interface GigabitEthernet0/1.100

vlan 100

nameif Devices

security-level 100

ip address 10.2.0.1 255.255.255.0

!

interface GigabitEthernet0/1.101

vlan 101

nameif Common

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface GigabitEthernet0/1.102

vlan 102

nameif Design

security-level 100

ip address 10.2.2.1 255.255.255.0

!

interface GigabitEthernet0/1.103

vlan 103

nameif Ruhlamat

security-level 90

ip address 10.2.3.1 255.255.255.0

!

interface GigabitEthernet0/2

no nameif

security-level 100

no ip address

!

interface GigabitEthernet0/2.10

vlan 10

nameif HOLOGR

security-level 40

ip address 10.1.2.4 255.255.0.0

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address ***

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

no ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name ***

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network WWW

host 10.2.1.6

object network MAIL

host 10.2.5.5

object network TEST

host 10.2.1.85

object-group network DM_INLINE_NETWORK_1

network-object host 10.1.0.88

network-object host 10.1.6.1

network-object host 10.1.6.5

network-object host 10.1.0.57

network-object 10.2.0.0 255.255.255.0

network-object host 10.1.6.4

network-object host 10.1.1.57

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2080

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_6

network-object host 10.1.4.42

network-object host 10.1.4.234

network-object host 10.1.4.175

network-object host 10.1.4.217

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_3

network-object host 10.2.1.4

network-object host 10.2.1.5

network-object host 10.2.1.6

network-object host 10.2.1.14

network-object host 10.2.1.91

object-group network DM_INLINE_NETWORK_4

network-object host 10.2.1.4

network-object host 10.2.1.5

network-object host 10.2.1.6

object-group service DM_INLINE_TCP_2 tcp

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_5

network-object host 10.2.1.14

network-object host 10.2.1.39

network-object host 10.2.1.4

network-object host 10.2.1.5

network-object host 10.2.1.6

network-object host 10.2.1.85

network-object host 10.2.1.31

network-object host 10.2.1.32

network-object host 10.2.1.40

network-object host 10.2.1.55

network-object host 10.2.1.35

network-object host 10.2.1.3

network-object host 10.2.1.2

object-group service DM_INLINE_TCP_3 tcp

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_7

network-object host 10.2.1.4

network-object host 10.2.1.5

object-group network DM_INLINE_NETWORK_9

network-object host 10.2.1.4

network-object host 10.2.1.3

object-group network DM_INLINE_NETWORK_2

network-object host 10.1.1.101

network-object host 10.1.6.1

network-object host 10.1.6.4

network-object host 10.1.6.5

network-object host 10.1.0.57

network-object host 10.1.1.57

object-group network DM_INLINE_NETWORK_10

network-object host 10.2.1.4

network-object host 10.2.1.5

network-object host 10.2.1.3

network-object host 10.2.1.2

object-group service DM_INLINE_TCP_4 tcp

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_12

network-object host 10.2.0.11

network-object host 10.2.0.14

object-group service DM_INLINE_TCP_5 tcp

port-object eq pop3

port-object eq smtp

object-group network DM_INLINE_NETWORK_13

network-object host 10.2.1.4

network-object host 10.2.1.5

object-group network DM_INLINE_NETWORK_14

network-object host 8.8.4.4

network-object host 8.8.8.8

network-object host 10.1.1.1

object-group network DM_INLINE_NETWORK_15

network-object host 10.2.1.39

network-object host 10.2.1.57

object-group network DM_INLINE_NETWORK_16

network-object host 10.2.1.14

network-object host 10.2.1.6

access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp

access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***

access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***

access-list Common_access_in extended permit icmp any any

access-list Common_access_in extended permit ip host 10.2.1.76 host ***

access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive

access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***

access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5

access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0

access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable

access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain

access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3

access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3

access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1

access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2

access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable

access-list HOLOGR_access_in extended permit icmp any any log disable

access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4

access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9

access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0

access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12

access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10

access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5

access-list test extended permit tcp any host 10.2.5.1 eq telnet

access-list test extended permit tcp any host 10.2.5.1 eq https

access-list test extended permit tcp host 10.2.5.1 any eq https

access-list test extended permit tcp host 10.2.5.1 any eq telnet

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging buffered critical

logging trap warnings

logging asdm informational

logging from-address ***

logging recipient-address *** level critical

logging host Common 10.2.1.2

logging flash-bufferwrap

logging flash-maximum-allocation 8192

logging permit-hostdown

no logging message 106014

no logging message 313005

no logging message 313001

no logging message 106023

no logging message 305006

no logging message 733101

no logging message 733100

no logging message 304001

logging message 313001 level critical

logging message 106023 level errors

mtu DMZ 1500

mtu inside 1500

mtu Devices 1500

mtu Common 1500

mtu Design 1500

mtu Ruhlamat 1500

mtu HOLOGR 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any DMZ

icmp permit any Common

icmp permit any HOLOGR

icmp permit any outside

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

!

object network WWW

nat (Common,outside) static interface service tcp *** ***

object network MAIL

nat (DMZ,outside) static interface service tcp smtp smtp

!

nat (DMZ,outside) after-auto source dynamic any interface

nat (Common,outside) after-auto source dynamic any interface

nat (Devices,outside) after-auto source dynamic any interface

access-group Common_access_in in interface Common

access-group Design_access_in in interface Design

access-group Ruhlamat_access_in in interface Ruhlamat

access-group HOLOGR_access_in in interface HOLOGR

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 *** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

http server enable

http 10.2.1.6 255.255.255.255 Common

snmp-server host Common 10.2.1.6 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp DMZ

sysopt noproxyarp inside

sysopt noproxyarp Devices

sysopt noproxyarp Common

sysopt noproxyarp Design

sysopt noproxyarp Ruhlamat

sysopt noproxyarp HOLOGR

sysopt noproxyarp outside

sysopt noproxyarp management

service resetoutside

telnet 10.2.1.0 255.255.255.0 Common

telnet timeout 5

ssh timeout 5

console timeout 0

management-access Common

dhcprelay setroute Common

threat-detection basic-threat

threat-detection scanning-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.2.1.4 source Common prefer

webvpn

!

!

smtp-server 10.2.5.5

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5

: end

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎11-30-2011 07:07 AM

Hi Philip,

I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:

https://supportforums.cisco.com/docs/DOC-1222

-Mike

0 Helpful

Srakandaev
Level 1
Level 1
In response to mirober2

‎11-30-2011 10:59 PM

The problem was with SSM module. It was examining traffic without any rules on ASA. I've found it out during file copy process - CPU utiliztion rised up to 100% on SSM module. I've created new rules of sending traffic to SSM, and suddenly everything worked as it should. Copy speed between vlans became 77-95 mbytes/sec.

Thank you for your advice anyway!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card