ASA 5525-X horrible download speeds, but normal upload

jarnohol89 · ‎03-24-2015

Hello everyone,

I have a Cisco ASA 5525-X that we purchased for our 1G Colo circuit. Before we put it in the Colo we tested it on another MOE network that ran some old hardware and the ASA needed to be configured to force the WAN speed to 100. Long story short, the ASA is in the Colo now and connected to the 1G circuit. Before I put the ASA in place I made sure to set the interface speed to auto.

Topology:

MOE>ASA>3925 Router>ISP

Now, if I plug in directly to the 3925 everything is great and I'm pulling some 350 MB/s up and down. If I plug into the ASA I'm getting beween 10-25 MB/s down, but still 350 MB/s up. Both the ASA and the 3925 have all of their interfaces set to auto speed and duplex.

Here's the kicker: if I force speed 100 on the ASA my donwload speed goes up to 100 and my upload goes down to 100.

Can anyone explain why this bloody ASA is not playing nice?

Corp-FW# show ver

Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 6.6(1)

Compiled on Wed 28-Nov-12 11:15 PST by builders
System image file is "disk0:/asa911-smp-k8.bin"
Config file at boot was "startup-config"

Corp-FW up 12 hours 43 mins

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0022
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 18e7.28b5.c793, irq 11
1: Ext: GigabitEthernet0/0 : address is 18e7.28b5.c798, irq 5
2: Ext: GigabitEthernet0/1 : address is 18e7.28b5.c794, irq 5
3: Ext: GigabitEthernet0/2 : address is 18e7.28b5.c799, irq 10
4: Ext: GigabitEthernet0/3 : address is 18e7.28b5.c795, irq 10
5: Ext: GigabitEthernet0/4 : address is 18e7.28b5.c79a, irq 5
6: Ext: GigabitEthernet0/5 : address is 18e7.28b5.c796, irq 5
7: Ext: GigabitEthernet0/6 : address is 18e7.28b5.c79b, irq 10
8: Ext: GigabitEthernet0/7 : address is 18e7.28b5.c797, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 18e7.28b5.c793, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Disabled perpetual

=========================================================================================

Corp-FW# show run
: Saved
:
ASA Version 9.1(1)
!
hostname Corp-FW
enable password OJ8dCoj./wPQlGzN encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd OJ8dCoj./wPQlGzN encrypted
names
ip local pool VPN_Pool x.x.x.x x.x.x.x
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
ip address x.x.x.x x.x.x.x
!
ftp mode passive

access-list outside-in remark - SSH
access-list outside-in remark OpenTable
access-list outside-in extended permit object-group OpenTable object-group OpenTable-Trusted object Opentable-HSF-Int
access-list outside-in remark Pegasus
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Haot-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Nativo-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Lodge-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Chimayo-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object HSF-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Encanto-Pegasus-Int
access-list outside-in extended permit object-group Pegasus-Ports object-group Pegasus-Trusted object Opentable-HSF-Int
access-list outside-in remark Guest Wireless Management External
access-list outside-in extended permit object-group Guest-Management any object Haot-CTRL-Mgmt-Int
access-list outside-in extended permit object-group Guest-Management any object Nativo-CTRL-Mgmt-Int
access-list outside-in extended permit object-group Guest-Management any object Lodge-CTRL-Mgmt-Int
access-list outside-in extended permit object-group Guest-Management any object Chimayo-CTRL-Mgmt-Int
access-list outside-in extended permit object-group Guest-Management any object HSF-CTRL-Mgmt-Int
access-list outside-in extended permit object-group Guest-Management any object Encanto-CTRL-Mgmt-Int
access-list outside-in remark Allow ICMP
access-list outside-in remark Security Cameras 97
access-list outside-in extended permit object Camera-5549 any object Haot-Cam-Int-97
access-list outside-in remark Security Cameras 98
access-list outside-in extended permit object Camera-5550 any object Haot-Cam-Int-98
access-list outside-in remark Security Cameras 99
access-list outside-in extended permit object Camera-5551 any object Haot-Cam-Int-99
access-list outside-in remark Security Cameras 90
access-list outside-in extended permit object Camera-5550 any object Encanto-Cam-Int-90
access-list outside-in remark Security Cameras 91
access-list outside-in extended permit object Camera-5551 any object Encanto-Cam-Int-91
access-list outside-in extended permit object-group Autoclerk-Ports object-group Autoclerk-Trusted object ACServer-HSF-Int
access-list outside-in extended permit object-group Autoclerk-Ports object-group Autoclerk-Trusted object ACServer-NL-Int
access-list outside-in extended permit object-group Autoclerk-Ports object-group Autoclerk-Trusted object ACServer-LSF-Int
access-list outside-in extended permit object-group Autoclerk-Ports object-group Autoclerk-Trusted object ACServer-HCO-Int
access-list outside-in extended permit object-group Autoclerk-Ports object-group Autoclerk-Trusted object ACServer-PDM-Int
access-list outside_in extended permit object SSH any object Haot-Ext
access-list outside_in extended permit object SSH any object Nativo-Ext
access-list outside_in extended permit object SSH any object Lodge-Ext
access-list outside_in extended permit object SSH any object Chimayo-Ext
access-list outside_in extended permit object SSH any object HSF-Ext
access-list outside_in extended permit object SSH any object Encanto-Ext
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any source-quench
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit object SSH any object Haot-Int
access-list outside_in extended permit object SSH any object Nativo-Int
access-list outside_in extended permit object SSH any object Lodge-Int
access-list outside_in extended permit object SSH any object Chimayo-Int
access-list outside_in extended permit object SSH any object HSF-Int
access-list outside_in extended permit object SSH any object Encanto-Int
access-list inside_access_in extended deny udp any any object-group BitTorrent-UDP-Ports
access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker
pager lines 24
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Haot-Int
nat (inside,outside) static Haot-Ext
object network Nativo-Int
nat (inside,outside) static Nativo-Ext
object network Lodge-Int
nat (inside,outside) static Lodge-Ext
object network Chimayo-Int
nat (inside,outside) static Chimayo-Ext
object network HSF-Int
nat (inside,outside) static HSF-Ext
object network Encanto-Int
nat (inside,outside) static Encanto-Ext
object network Haot-Pegasus-Int
nat (inside,outside) static Haot-Pegasus-Ext
object network Nativo-Pegasus-Int
nat (inside,outside) static Nativo-Pegasus-Ext
object network Lodge-Pegasus-Int
nat (inside,outside) static Lodge-Pegasus-Ext
object network Chimayo-Pegasus-Int
nat (inside,outside) static Chimayo-Pegasus-Ext
object network HSF-Pegasus-Int
nat (inside,outside) static HSF-Pegasus-Ext
object network Encanto-Pegasus-Int
nat (inside,outside) static Encanto-Pegasus-Ext
object network Opentable-HSF-Int
nat (inside,outside) static Opentable-HSF-Ext
object network Encanto-Cam-Int
nat (inside,outside) static Encanto-Cam-Ext
object network Haot-CTRL-Mgmt-Int
nat (inside,outside) static Haot-CTRL-Mgmt-Ext
object network Nativo-CTRL-Mgmt-Int
nat (inside,outside) static Nativo-CTRL-Mgmt-Ext
object network Lodge-CTRL-Mgmt-Int
nat (inside,outside) static Lodge-CTRL-Mgmt-Ext
object network Chimayo-CTRL-Mgmt-Int
nat (inside,outside) static Chimayo-CTRL-Mgmt-Ext
object network HSF-CTRL-Mgmt-Int
nat (inside,outside) static HSF-CTRL-Mgmt-Ext
object network Encanto-CTRL-Mgmt-Int
nat (inside,outside) static Encanto-CTRL-Mgmt-Ext
object network Haot-Cam-Int-97
nat (inside,outside) static Haot-Cam-Ext-97
object network Haot-Cam-Int-98
nat (inside,outside) static Haot-Cam-Ext-98
object network Haot-Cam-Int-99
nat (inside,outside) static Haot-Cam-Ext-99
object network Encanto-Cam-Int-90
nat (inside,outside) static Encanto-Cam-Ext-90
object network Encanto-Cam-Int-91
nat (inside,outside) static Encanto-Cam-Ext-91
object network ACServer-HSF-Int
nat (inside,outside) static ACServer-HCO-Ext
object network ACServer-PDM-Int
nat (inside,outside) static ACServer-PDM-Ext
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside-in in interface outside
!
router eigrp 100
network x.x.x.x x.x.x.x
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http x.x.x.x x.x.x.x management
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
telnet timeout 5
ssh x.x.x.x x.x.x.x outside
ssh x.x.x.x x.x.x.x inside
ssh timeout 2
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes128-sha1

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 13
subscribe-to-alert-group configuration periodic monthly 13
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:dfd8dd9ed3d1a5f311b41ae6a779880b
: end

======================================================================================

I only removed IP addresses and all of the objects (bunch of public IP's).