Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
0
Replies

ASA/PIX 7.x: ASP (Acceletared Security Path) problem

igorfould
Level 1
Level 1

‎07-02-2006 12:39 AM - edited ‎02-21-2020 01:01 AM

Hi,

we are deploying an ASA 5520 with 7.1(2)7 at the customer's site as a replacemement for a PIX 525 with 6.3(4). There are some problems with a very slow response from a remote web proxy. Web pages download, but very slowly, after a minute or so compared to 5-10 secs with PIX. We tried to reconfigure various things on ASA (NAT/PAT, inspect, ...) but all in vain. Finally I noticed a quickly increasing count of dropped packets in "show int" statistics. I also came across "show counters" and "show asp drop" and there is an evidence, that ASA drops quite a large number of "non-compliant" TCP packets .... See the output:

asa-1# show asp drop

Frame drop:

Flow is denied by configured rule 201

First TCP packet not SYN 170

TCP Window scale on non-SYN 630

DNS Inspect id not matched 84

That ASP stands for "Accelerated Security Path" - a feature hardwired into ASA/PXI 7.x. I went through the config guide for ASA/PIX and there is no info on how to disable this feature. In reference quide there is a lot of info on how to show various stats about this, how to capture dropped packets due to ASP (and they got really dropped as capture showed).

Please, does anybody know how to disable this feature or at least how to circumvent it ? It there is no workaround for this, ASA/PIX 7.x is unusable in this way.

Thank you

Igor

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card