ASA FTP speed problem

Tomasz Mowinski · ‎07-22-2010

Hi

I have the problem with ftp speed to server behind the ASA.

I found out that this issue occurs in all our location (where we have ASA and some ftp server behind)

I have create some lab (only two hosts connected and no unnecessary configurations) :

inside network (client PC) ------ASA 5505 8.2(1)------- DNZ network (ftp server)

When I'm trying to download some files from the DMZ ftp serverer I have never had speed more than 4MBytes/s.

When I'm opening 2 sessions, speed is decreasing to about 2 MB/s.

At the same time when I'm trying to access the ftp server via SMB I can download files 3 times faster (about 12 MB/s) - so almost max FEth speed.

When I moved the server to inside network (both: client PC and ftp server were in the same network) I ccould download files using ftp service at the same speed like using SMB.

ASA config:

interface Vlan1
nameif dmz
security-level 100
ip address 10.0.19.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/2
switchport access vlan 2

!

access-list dmz extended permit ip any any
access-list outside extended permit ip any any
!

access-group dmz in interface dmz
access-group outside in interface outside

!

class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global

The rest of configuration is default.

I have tested this on ASA5520 as well and it looks the same.

Now this is a big problem for us, because we have a separate link to assure max speed for our clients but it looks that ASAs restrict the throughput.

thanks in advance for your help.

I hope that we will not have to change ASAs to other FWs ....

best

James

Jitendriya Athavale · ‎07-22-2010

could you please paste the output of show interface for the interface on firewall connected to dmz

so what i want to check is

interface drops

duplex and speed settings (hard code on both sides if possible)

traffic statistics on this interface

---> also i have a question here, what about non ftp traffic are you getting expected speed from dmz interface

also when you say you get good speed when connected on inside, do you mean inside interface of firewall (just wanted to confirm because i dont see any inside config in the config screen shot)

Tomasz Mowinski · ‎07-22-2010

All others protocols work with maximum available speed. Only ftp is slow....

I have good speed using ftp protocol when I move ftp server to the same LAN as client PC (sorry but in configuratio I used "outside" name intead of "inside").

It means change ftp server IP address from 10.0.19.0/24 network to 10.10.10.0/24 and reconfigure interface Eth0/0 to accless vlan 2.

So it looks that some ASAs processes slow down the traffic. ACLs, routing ... ??

Below you can find interfaces/traffic statistics:

DMZ:

ciscoasa# sh int et 0/2

ciscoasa# sh int et 0/0

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address c47d.4f89.2129, MTU not set

IP address unassigned

424860 packets input, 459035841 bytes, 0 no buffer

Received 72 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

212173 packets output, 13579115 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

Inside:

ciscoasa# sh int et 0/2

Interface Ethernet0/2 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address c47d.4f89.212b, MTU not set

IP address unassigned

677532 packets input, 44516824 bytes, 0 no buffer

Received 58 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

1329221 packets output, 1522574031 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

0 rate limit drops

0 switch egress policy drops

----------------------------------------

Aggregated Traffic on Physical Interface

----------------------------------------

Ethernet0/0:

received (in 308.570 secs):

424860 packets 459035841 bytes

1376 pkts/sec 1487623 bytes/sec

transmitted (in 308.570 secs):

212173 packets 13579115 bytes

687 pkts/sec 44006 bytes/sec

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 1416 pkts/sec, 1530103 bytes/sec

5 minute output rate 707 pkts/sec, 45263 bytes/sec

5 minute drop rate, 0 pkts/sec

Ethernet0/2:

received (in 6494.160 secs):

677532 packets 44516824 bytes

104 pkts/sec 6193 bytes/sec

transmitted (in 6494.160 secs):

1329221 packets 1522574031 bytes

204 pkts/sec 234452 bytes/sec

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 1041 pkts/sec, 66667 bytes/sec

5 minute output rate 2082 pkts/sec, 2253325 bytes/sec

5 minute drop rate, 0 pkts/sec

I appreciate your help.

best

James

Jitendriya Athavale · ‎07-22-2010

can you please paste the entire config so that we can take a look at inspection, nat rules and acl etc

by the way what ftp are you using passive or active

also one thing that you can try is from the dmz interface will it possible for you to plug the PC directly into the asa and test the ftp speed

Tomasz Mowinski · ‎07-25-2010

Here you are:

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif dmz
security-level 100
ip address 10.0.19.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list dmz extended permit ip any any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group dmz in interface dmz
access-group outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access dmz
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:007dd63f4f6a351df76ab4de0ce73425
: end

I tested it usung both: passive and active modes. Speed was the same.

I have both devices (the client PC and the server) directly connected to ASA. No switches between.

best

James

Jitendriya Athavale · ‎07-26-2010

plz try the following

remove ftp inspect

and try passive client as this does not require inspection

bcoz the only inspection i see is ftp so just want to verify tht this inspection is not the issue

Tomasz Mowinski · ‎07-26-2010

I did all and the speed is still the same

best

James

Jitendriya Athavale · ‎07-26-2010

can you collect some captures on both the inside and dmz for the 2 way ftp traffic

also can you plaste the following output

clear service-policy

clear asp drops

show service-policy

show asp drops

after you try to access the server

Tomasz Mowinski · ‎07-26-2010

Hi

I've attached two files with capture and here you are the show-policy and asp drop output after access the ftp server:

ciscoasa# sh service-policy

Global policy:
Service-policy: global_policy

ciscoasa# sh asp drop

Frame drop:
Flow is denied by configured rule (acl-drop) 9

Last clearing: 21:40:30 UTC Jul 26 2010 by enable_15

Flow drop:

Last clearing: 21:40:30 UTC Jul 26 2010 by enable_15

regards

James

Deniz Miscioglu · ‎11-13-2011

Hi There,

We are also having the same problem.

Just wanted to ask if this has been resolved and how?

Best,

Deniz

Tomasz Mowinski · ‎11-14-2011

Hi

We’ve resolved this problem. We had to change settings on client from Active to passive, or from Passive to Active. I don’t remember right now which one is working fine.

best

Tomasz Mówiński

Network Specialist

tomasz.mowinski@chellozone.com