cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
0
Helpful
3
Replies

ASA 5585-X -> Proxy Problems slow connections

Gustav Klein
Level 1
Level 1

Hi dear Community,

 

we have  massive problems with our surfspeed since 2 Weeks. i will try to descripe our Company Setup as good as Possible.

 

We have an cisco asa 5585-X as FW and use Cisco Cloud Web as our Contet Filter. All Users in Our Conmpany must use the internal Proxy Servers to have an Connection to the Internet.

 

User -> proxy( 2 Linux VMs Failover-Loadbalance) -> ASA.

Our setup is an bit outdated because we dont use our core Switches for routing, so the ASA does that for us. Every single Interface  and Traffic is going trhough our ASA.

 

When our Businuesstimes starts the speed is ok but then after like 2 Hours its incredibly slow. 

if i take out the proxy on my Windows Client the Connection is as fast as it should be, as soon the Proxy is enabled its slow as hell. So i check the Load ob both linux Proxy Servers and there are fine, i even did restart both of them and still no changes. I Checked the load on the ASA and it has got 65% Memory free and CPU is bored. After that i did clear all Xlates to see if there might be the Problem but still no change.

 

Now the Werid stuff starts. I did check the Syslog on the ASA and i did come across that the imlplicit rule deny any to any is on the top 10 of Hitting Rules. it seems like that  all our Clientes try to connect with the privat internal IP to the Outside interface. After a while of  checking the Forums i Came across a NAT Problem maybe? Bute there we no changes at all to the NAT Rules or Anything. 

 

( it seems like the clients try to connect with their private IP to the outside and after a couple of tries the use the proxy) 

 Implicit Rule.pngsyslog.JPG

 

 

 

I hope i did descripe our Problem good enough to get some help because i got no more clues what it could be.

 

Thank you all for ur Help

 

Kind Regards 

 

Gustav

3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

using the FW as your router is definitely bad practice, but its not too hard to shove a L3 switch in the path that can take that role away.

 

so the question is why do your users hit the FW direct and not via the proxy?  is the proxy getting hit at all? is there an issue with the PAC file (if used at all)?

 

Please remember to rate useful posts, by clicking on the stars below.

Hey  Dennis,

 

thank you for ur reply. We Already have 2 Core Switches wich can do Layer 3 we have tried to setupt routing but we have the issuse that we have 3 Hyper-V Cluster and all Vms are coming through a Trunk so we cant seperate the DMZ Machines physicly from the Other Interfaces. We Had a "CIsco Exper..." here to help use with the Routing matter after 6 Hours of changes he said nah u cant do that this way.... But this is a other case.

Yes people are Hitting the Proxy. Ill check the PAC file straight away  ty for the wink.

 

But all the syslog messages have the same failure reason- U can look up the IMG i provided

 

TY

I did Check our proxy and did find out that we dont use PAC Files to setup the Proxy but i did came across some Issues with Atuhtentication from the Browser its seems that the Windows Machines are trying to ath with NTLM and the Proxy doesnt accept that. 
I dodnt know if this is usual because i never have looked it up so i cant tell.

But for me it seems that the Browser cannot auth with proxy in first trys,  but after certain time it will pass. 

So if there is no issue with the ASA we can close this Case. Stil curios about the ASA Logs with the implicit rules!!!

TY for help

Review Cisco Networking for a $25 gift card