Hi Dinesh,

I´m not quite sure if that the problem, I´m not using a VPN with my provider or maybe the slowness is caused by my VPNs?

here is the information:

#show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1300
sysopt connection tcpmss minimum 0
no sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp lan
no sysopt noproxyarp wiredclientb
no sysopt noproxyarp wiredclienta
no sysopt noproxyarp voice1
no sysopt noproxyarp voice2
no sysopt noproxyarp mobile
no sysopt noproxyarp restri1
no sysopt noproxyarp restri2
no sysopt noproxyarp route
no sysopt noproxyarp wan
no sysopt noproxyarp outside
no sysopt noproxyarp man
no sysopt noproxyarp dmz-s
no sysopt noproxyarp dmz-w
no sysopt noproxyarp dmz-wm
no sysopt noproxyarp dmz-mg

# show run all | i df-bit
crypto ipsec df-bit copy-df lan
crypto ipsec df-bit copy-df wiredclientb
crypto ipsec df-bit copy-df wiredclienta
crypto ipsec df-bit copy-df voice1
crypto ipsec df-bit copy-df voice2
crypto ipsec df-bit copy-df mobile
crypto ipsec df-bit copy-df restri1
crypto ipsec df-bit copy-df restri2
crypto ipsec df-bit copy-df route
crypto ipsec df-bit copy-df wan
crypto ipsec df-bit copy-df outside
crypto ipsec df-bit copy-df man
crypto ipsec df-bit copy-df dmz-s
crypto ipsec df-bit copy-df dmz-w
crypto ipsec df-bit copy-df dmz-wm
crypto ipsec df-bit copy-df dmz-mg
anyconnect ssl df-bit-ignore disable

Let me know what you think

Thanks

Hello,

For the outside interface I use a vlan

This is the physical interface gi0/0:

interface GigabitEthernet0/0
description outside
speed 1000
duplex full
no nameif
security-level 0
no ip address

Interface GigabitEthernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)

IP address unassigned
554019012 packets input, 542908648178 bytes, 0 no buffer
Received 364784 broadcasts, 0 runts, 0 giants
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
223861 L2 decode drops
414235553 packets output, 174547878158 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred

The vlan that I use for the outside interface:

interface GigabitEthernet0/0.x
description outside
vlan x
nameif outside
security-level 0
ip address x.x.x.x z.z.z.z 

Interface GigabitEthernet0/0.x "outside", is up, line protocol is up
Hardware is yyyyyy rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier x
Description: outside
MAC address f.f.f.f, MTU 1500
IP address x.x.x.x, subnet mask x.x.x.x
Traffic Statistics for "outside":
553175373 packets input, 529833230269 bytes
413731846 packets output, 164842026809 bytes
3534044 packets dropped

show interface | in error
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 4 interface resets
174190 input errors, 0 CRC, 0 frame, 174190 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 3 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

What do you think?

Thanks.

Hi,

I see a lot of overruns on the interfaces.

show interface | in error
8467 input errors, 0 CRC, 0 frame, 8467 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 4 interface resets
174190 input errors, 0 CRC, 0 frame, 174190 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 3 interface resets

What is the CPU usage of the ASA ?

Any recent changes in the network ?

What is the traffic rate like, do we see bursty traffic ?

Interface overruns, no buffer and underruns often show that the firewall cannot process all the traffic it is receiving on its NIC. Overruns and no buffers indicate that input traffic is too much on a given interface. The interface maintains a receive ring where packets are stored before they are processed by the ASA. If the NIC is receiving traffic faster than the ASA can pull them off the receive ring, the packet will be dropped and either the no buffer or overrun counter will increment. Underruns behaviour similarly but deal with the transmit ring instead.

You can check this link:

https://supportforums.cisco.com/document/47506/asa-oversubscription-interface-errors-troubleshooting

Also would you please do a clear interface, clear traffic, wait 5 minutes and then do a show traffic, show Interface?

Regards,

Aditya

Please rate helpful posts.

Hello Aditya,

Thank you for the reply, this is the cpu usage right now:

CPU utilization for 5 seconds = 23%; 1 minute: 17%; 5 minutes: 16%

I saw the graphs since 1 year ago and the max was 45%

There was not any change with the network, the traffic is normal, not any bursty traffic.

In the graphics I see that the last year, since we have 100mb/s we were just using 20Mb/s, our provicer already make some test and before the firewall the link speed is 100mb/s

sad

Also, I have the ASA 5520 and the max throughput is 450 Mbps, what am I missing?

Thank you!

Hello! I encountering the same issue. please help..