The issue was about Cisco ASA5510 Sec Plus.
2 Interfaces, LAN and DMZ.
Both 1000 FD, no interface errors like CRC or something similar.
If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.
If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.
If i do the same using netperf in UDP (not TCP) I get the same in both directions.
what is different for traffic soming from lan when compared to dmz
also check the speed setting if they are hardset or if the negotiation is auto
how are you testing this have you tested this by directly connecting the same PC on inside and dmz interface or r you testing it through switch, if you are testing it through switch please connect the PC directly and test
and if possible try downloading a actual file and see if you notice considerable fall in thorughput
Tomorrow morning I will do some test as you suggest.
For now I'm sure that the same behavior happens with auto negotiation and hardset (both end of course).
The situation is
ASA INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)
ASA DMZ 1000 Full (hardset) - Switch 1000 full (hardset)
SERVER INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)
SERVER DMZ 1000 Full (hardset) - Switch 1000 full (hardset)
Copying a 4GB file from Server IN to Server DMZ -> 140Mbps
Copying the same 4GB file from Server DMZ to Server IN -> 250 Mbps (near max firewall throughput)
The firewall is ASA5510 Sec Plus. No deep inspection.
Very strange behavior.
How are we measuring the speeds here, that is, what kind of tool are you using to measure the speed? Try using iperf and see what kind of transfer speeds it gives.
Also, please post the outputs of show run access-group and show access-list | in element.
If possible, please do attach a sanitized version of your configuration as well.
Thank you, for your support.
Speed tests are executed with iperf.
show run access-group
access-group DADMZ in interface DMZ
access-group DADENTRO in interface INSIDE
access-group DAFUORI in interface OUTSIDE
show access-list | in element
access-list VPN-1; 2 elements; name hash: 0x3662a209
access-list VPN-2; 2 elements; name hash: 0xdcbb3938
access-list VPN-3; 2 elements; name hash: 0x6bd5556
access-list VPN-4; 2 elements; name hash: 0x458a2146
access-list VPN-5; 1 elements; name hash: 0x30802566
access-list NONAT; 7 elements; name hash: 0xf0d9f49a
access-list NONATDMZ; 7 elements; name hash: 0x673e7487
access-list DADENTRO; 4 elements; name hash: 0x8a9004b0
access-list DADMZ; 79 elements; name hash: 0x908eeb50
access-list DAFUORI; 19 elements; name hash: 0x50e21dc4
access-list SPLIT-VPN-IPSEC; 2 elements; name hash: 0x98c75619
access-list SPLIT-VPN-SSL; 2 elements; name hash: 0x9c15e7a6
Is it possible to bypass the 2 switches in your topology and connect 2 hosts directly to the inisde and DMZ interfaces of the ASA to measure the speeds then? Just trying to localize the problem here.
Dear Prapanch Ramamoorthy
I think this is the last point to investigate.
We try to do this during the week end.
I'll contact you againg asap.
Thank you for your support.