ASA5510 different throughput between LAN and DMZ

arani · ‎06-19-2011

Hi all

The issue was about Cisco ASA5510 Sec Plus.

2 Interfaces, LAN and DMZ.

Both 1000 FD, no interface errors like CRC or something similar.

If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.

If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.

If i do the same using netperf in UDP (not TCP) I get the same in both directions.

Some idea?

Kind regards

fgasimzade · ‎06-19-2011

It could be an inspection configured. Deep inspection of the packet may affect the throughput

Jitendriya Athavale · ‎06-19-2011

what is different for traffic soming from lan when compared to dmz

also check the speed setting if they are hardset or if the negotiation is auto

how are you testing this have you tested this by directly connecting the same PC on inside and dmz interface or r you testing it through switch, if you are testing it through switch please connect the PC directly and test

and if possible try downloading a actual file and see if you notice considerable fall in thorughput

arani · ‎06-19-2011

Dear Jitendriya

Tomorrow morning I will do some test as you suggest.

For now I'm sure that the same behavior happens with auto negotiation and hardset (both end of course).

Kind regards

arani · ‎06-20-2011

Dear Jitendriya

The situation is

ASA INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)

ASA DMZ 1000 Full (hardset) - Switch 1000 full (hardset)

SERVER INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)

SERVER DMZ 1000 Full (hardset) - Switch 1000 full (hardset)

Copying a 4GB file from Server IN to Server DMZ -> 140Mbps

Copying the same 4GB file from Server DMZ to Server IN -> 250 Mbps (near max firewall throughput)

The firewall is ASA5510 Sec Plus. No deep inspection.

Very strange behavior.

Kind regards.

praprama · ‎06-29-2011

Hi,

How are we measuring the speeds here, that is, what kind of tool are you using to measure the speed? Try using iperf and see what kind of transfer speeds it gives.

Also, please post the outputs of show run access-group and show access-list | in element.

If possible, please do attach a sanitized version of your configuration as well.

Regards,

Prapanch

arani · ‎07-06-2011

Hi

Thank you, for your support.

Speed tests are executed with iperf.

show run access-group

access-group DADMZ in interface DMZ

access-group DADENTRO in interface INSIDE

access-group DAFUORI in interface OUTSIDE

show access-list | in element

access-list VPN-1; 2 elements; name hash: 0x3662a209

access-list VPN-2; 2 elements; name hash: 0xdcbb3938

access-list VPN-3; 2 elements; name hash: 0x6bd5556

access-list VPN-4; 2 elements; name hash: 0x458a2146

access-list VPN-5; 1 elements; name hash: 0x30802566

access-list NONAT; 7 elements; name hash: 0xf0d9f49a

access-list NONATDMZ; 7 elements; name hash: 0x673e7487

access-list DADENTRO; 4 elements; name hash: 0x8a9004b0

access-list DADMZ; 79 elements; name hash: 0x908eeb50

access-list DAFUORI; 19 elements; name hash: 0x50e21dc4

access-list SPLIT-VPN-IPSEC; 2 elements; name hash: 0x98c75619

access-list SPLIT-VPN-SSL; 2 elements; name hash: 0x9c15e7a6

kind regards

praprama · ‎07-12-2011

Hi,

Is it possible to bypass the 2 switches in your topology and connect 2 hosts directly to the inisde and DMZ interfaces of the ASA to measure the speeds then? Just trying to localize the problem here.

Regards,

Prapanch

arani · ‎07-20-2011

Dear Prapanch Ramamoorthy

I think this is the last point to investigate.

We try to do this during the week end.

I'll contact you againg asap.

Thank you for your support.

arani · ‎06-19-2011

Dear fgasimzade

No deep inspection is configured.

Thank you.

Kind regards

kerry-davis · ‎01-14-2014

I am having a similar problem between the LAN and DMZ on our ASA 5520. Was this problem ever resolved? If so, what was the solution?