ASA 5580 interface's performance problem

gasparmenendez · ‎05-04-2017

Hi friends,

my ASA 5580 is having a performance problem in one of its interfaces. I have configured 3 interfaces (CMTS, CARIERS and INSIDE_Prueba) in the LAN side and 1 for outside (OUTSIDE). The problem is that all PC's connected to the CARRIERS interface are surfing the web a little bit slow, but the biggest problem I have is that when I try to run a speedtest in www.speedtest.net it never completes, the page keeps "looking for optimal server" and never run the test.

by the other hand, when I connect the same PC to another interface (CMTS or INSIDE_Prueba) all is fine.

Can anybody helpme please??

Thanks in advance.

BR.

Ajay Saini · ‎05-04-2017

Could you please attach following outputs:

show interface ex/y

show block

also, please clarify what device is connected to the CARIERS interface.

Is the gateway for machines the ASA or some other device?

Try to ping the interface CARIERS from a connected PC and attach the output of about 10 pings.

Regards,

AJ

gasparmenendez · ‎05-04-2017

hi AJ! here's what you're asking:

ASA5580# sh interface GigabitEthernet3/2
Interface GigabitEthernet3/2 "CARRIERS", is up, line protocol is up
Hardware is i82571EB 4CU rev06, BW 1000 Mbps, DLY 10 usec
   Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
   Input flow control is unsupported, output flow control is off
   MAC address 0015.17db.9abe, MTU 1500
   IP address 10.227.224.3, subnet mask 255.255.252.0
   193386005 packets input, 29202914529 bytes, 0 no buffer
   Received 1168230 broadcasts, 0 runts, 0 giants
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
   0 pause input, 0 resume input
   142 L2 decode drops
   269551578 packets output, 339050572308 bytes, 1487 underruns
   0 pause output, 0 resume output
   0 output errors, 0 collisions, 5 interface resets
   0 late collisions, 0 deferred
   0 input reset drops, 0 output reset drops
   input queue (blocks free curr/low): hardware (246/145)
   output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "CARRIERS":
   193377790 packets input, 25400344675 bytes
   269553065 packets output, 334153862998 bytes
   884989 packets dropped
      1 minute input rate 1395 pkts/sec, 189987 bytes/sec
      1 minute output rate 2048 pkts/sec, 2395591 bytes/sec
      1 minute drop rate, 7 pkts/sec
      5 minute input rate 1879 pkts/sec, 207250 bytes/sec
      5 minute output rate 2618 pkts/sec, 3116383 bytes/sec
      5 minute drop rate, 9 pkts/sec

ASA5580# sh blo
ASA5580# sh blocks
SIZE    MAX    LOW    CNT
     0   2700   2564   2700
     4   1700   1700   1700
    80   9000   8910   8999
   256   8192   8114   8187
1550 30000 29659 29981
2048   8100   8099   8100
2560   8192   8191   8192
4096    100     99    100
8192    100     99    100
16384    400    400    400
65536     16     16     16
ASA5580#

connected to that interface is a whole network, but always at the far end is a 1841 Cisco Router and then PC (or PC's)

for all 1841's the gateway is ASA's interface (10.227.224.3)

here's ping's output from my Lap (behind 1841):

gaspar@gaspar-Lenovo-ideapad-310-15ISK ~ $ ping 10.227.224.3
PING 10.227.224.3 (10.227.224.3) 56(84) bytes of data.
64 bytes from 10.227.224.3: icmp_seq=2 ttl=254 time=0.533 ms
64 bytes from 10.227.224.3: icmp_seq=3 ttl=254 time=0.702 ms
64 bytes from 10.227.224.3: icmp_seq=4 ttl=254 time=0.846 ms
64 bytes from 10.227.224.3: icmp_seq=5 ttl=254 time=0.857 ms
64 bytes from 10.227.224.3: icmp_seq=6 ttl=254 time=0.664 ms
64 bytes from 10.227.224.3: icmp_seq=7 ttl=254 time=0.673 ms
64 bytes from 10.227.224.3: icmp_seq=8 ttl=254 time=0.824 ms
64 bytes from 10.227.224.3: icmp_seq=9 ttl=254 time=0.697 ms
64 bytes from 10.227.224.3: icmp_seq=10 ttl=254 time=0.691 ms
64 bytes from 10.227.224.3: icmp_seq=11 ttl=254 time=0.697 ms
64 bytes from 10.227.224.3: icmp_seq=12 ttl=254 time=0.702 ms
64 bytes from 10.227.224.3: icmp_seq=13 ttl=254 time=0.624 ms
64 bytes from 10.227.224.3: icmp_seq=14 ttl=254 time=0.714 ms
64 bytes from 10.227.224.3: icmp_seq=15 ttl=254 time=0.908 ms
64 bytes from 10.227.224.3: icmp_seq=16 ttl=254 time=0.632 ms
64 bytes from 10.227.224.3: icmp_seq=17 ttl=254 time=0.831 ms
64 bytes from 10.227.224.3: icmp_seq=18 ttl=254 time=0.671 ms
64 bytes from 10.227.224.3: icmp_seq=19 ttl=254 time=0.748 ms
64 bytes from 10.227.224.3: icmp_seq=20 ttl=254 time=0.720 ms
64 bytes from 10.227.224.3: icmp_seq=21 ttl=254 time=0.665 ms
^C
--- 10.227.224.3 ping statistics ---
21 packets transmitted, 20 received, 4% packet loss, time 20410ms
rtt min/avg/max/mdev = 0.533/0.719/0.908/0.096 ms

Ajay Saini · ‎05-05-2017

Nothing major seen in these outputs, only couple of underruns and free blocks under output queue as zero low.

269551578 packets output, 339050572308 bytes, 1487 underruns
   0 pause output, 0 resume output
   0 output errors, 0 collisions, 5 interface resets
   0 late collisions, 0 deferred
   0 input reset drops, 0 output reset drops
   input queue (blocks free curr/low): hardware (246/145)
   output queue (blocks free curr/low): hardware (255/0)

Is the issue happening consistently or happens sometimes. There could be some unnecessary traffic that could be routed to that interface that might be causing latency like a routing loop etc.

If you take a look at syslogs when the issue is happening, we could get some idea.

One thing we can do to rule out ASA is to connect a machine directly to that interface, bypassing the router and see if that helps.

-AJ

gasparmenendez · ‎05-05-2017

I'll try PC directly connected to ASA's interface and post results...

Thanks!!