03-08-2016 07:27 AM - edited 03-12-2019 12:27 AM
Hello everyone,
Im facing problems with my internet connection, we have 100Mb/s but when we do some tests we just have 50mb/s, the ISP aready made some tests before the firewall and the speed is 100mb/s, so the my asa can be the problem.
Someone has an idea about this?.
Thanks!
03-08-2016 08:00 AM
Hi
Can you please share the output of
show run all
show run all | in df-bit
Check this link:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82444-fragmentation.html
Under "
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-09-2016 01:15 AM
Hi Dinesh,
I´m not quite sure if that the problem, I´m not using a VPN with my provider or maybe the slowness is caused by my VPNs?
here is the information:
#show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1300
sysopt connection tcpmss minimum 0
no sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp lan
no sysopt noproxyarp wiredclientb
no sysopt noproxyarp wiredclienta
no sysopt noproxyarp voice1
no sysopt noproxyarp voice2
no sysopt noproxyarp mobile
no sysopt noproxyarp restri1
no sysopt noproxyarp restri2
no sysopt noproxyarp route
no sysopt noproxyarp wan
no sysopt noproxyarp outside
no sysopt noproxyarp man
no sysopt noproxyarp dmz-s
no sysopt noproxyarp dmz-w
no sysopt noproxyarp dmz-wm
no sysopt noproxyarp dmz-mg
# show run all | i df-bit
crypto ipsec df-bit copy-df lan
crypto ipsec df-bit copy-df wiredclientb
crypto ipsec df-bit copy-df wiredclienta
crypto ipsec df-bit copy-df voice1
crypto ipsec df-bit copy-df voice2
crypto ipsec df-bit copy-df mobile
crypto ipsec df-bit copy-df restri1
crypto ipsec df-bit copy-df restri2
crypto ipsec df-bit copy-df route
crypto ipsec df-bit copy-df wan
crypto ipsec df-bit copy-df outside
crypto ipsec df-bit copy-df man
crypto ipsec df-bit copy-df dmz-s
crypto ipsec df-bit copy-df dmz-w
crypto ipsec df-bit copy-df dmz-wm
crypto ipsec df-bit copy-df dmz-mg
anyconnect ssl df-bit-ignore disable
Let me know what you think
Thanks
03-08-2016 08:04 AM
Hi,
Could you check the speed/duplex settings on the ASA's outside interface ?
Regards,
Aditya
Please rate helpful posts.
03-09-2016 01:16 AM
Hello,
For the outside interface I use a vlan
This is the physical interface gi0/0:
interface GigabitEthernet0/0
description outside
speed 1000
duplex full
no nameif
security-level 0
no ip address
Interface GigabitEthernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
IP address unassigned
554019012 packets input, 542908648178 bytes, 0 no buffer
Received 364784 broadcasts, 0 runts, 0 giants
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
223861 L2 decode drops
414235553 packets output, 174547878158 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred
The vlan that I use for the outside interface:
interface GigabitEthernet0/0.x
description outside
vlan x
nameif outside
security-level 0
ip address x.x.x.x z.z.z.z
Interface GigabitEthernet0/0.x "outside", is up, line protocol is up
Hardware is yyyyyy rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier x
Description: outside
MAC address f.f.f.f, MTU 1500
IP address x.x.x.x, subnet mask x.x.x.x
Traffic Statistics for "outside":
553175373 packets input, 529833230269 bytes
413731846 packets output, 164842026809 bytes
3534044 packets dropped
show interface | in error
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 4 interface resets
174190 input errors, 0 CRC, 0 frame, 174190 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 3 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
What do you think?
Thanks.
03-09-2016 10:34 AM
Hi,
I see a lot of overruns on the interfaces.
show interface | in error
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 4 interface resets
174190 input errors, 0 CRC, 0 frame, 174190 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 3 interface resets
What is the CPU usage of the
Any recent changes in the
What is the traffic rate like, do we see bursty traffic ?
Interface overruns, no buffer and underruns often show that the firewall cannot process all the traffic it is receiving on its NIC. Overruns and no buffers indicate that input traffic is too much on a given interface. The interface maintains a receive ring where packets are stored before they are processed by the ASA. If the NIC is receiving traffic faster than the ASA can pull them off the receive ring, the packet will be dropped and either the no buffer or overrun counter will increment. Underruns behaviour similarly but deal with the transmit ring instead.
You can check this link:
https://supportforums.cisco.com/document/47506/asa-oversubscription-interface-errors-troubleshooting
Also would you please do a clear interface, clear traffic, wait 5 minutes and then do a show traffic, show Interface?
Regards,
Aditya
Please rate helpful posts.
03-10-2016 04:41 AM
Hello Aditya,
Thank you for the reply, this is the cpu usage right now:
CPU utilization for 5 seconds = 23%; 1 minute: 17%; 5 minutes: 16%
I saw the graphs since 1 year ago and the max was 45%
There was not any change with the network, the traffic is normal, not any bursty traffic.
In the graphics I see that the last year, since we have 100mb/s we were just using 20Mb/s, our provicer already make some test and before the firewall the link speed is 100mb/s
sad
Also, I have the ASA 5520 and the max throughput is 450 Mbps, what am I missing?
Thank you!
09-03-2020 04:41 AM
Hello! I encountering the same issue. please help..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide