cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3314
Views
0
Helpful
10
Replies

ASA5510 different throughput between LAN and DMZ

arani
Level 1
Level 1

Hi all

The issue was about Cisco ASA5510 Sec Plus.

2 Interfaces, LAN and DMZ.

Both 1000 FD, no interface errors like CRC or something similar.

If I start a data transfer (like FTP) or  a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.

If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.

If i do the same using netperf in UDP (not TCP) I get the same in both directions.

Some idea?

Kind regards

10 Replies 10

fgasimzade
Level 4
Level 4

It could be an inspection configured. Deep inspection of the packet may affect the throughput

what is different for traffic soming from lan when compared to dmz

also check the speed setting if they are hardset or if the negotiation is auto

how are you testing this have you tested this by directly connecting the same PC on inside and dmz interface or r you testing it through switch, if you are testing it through switch please connect the PC directly and test

and if possible try downloading a actual file and see if you notice considerable fall in thorughput

Dear Jitendriya

Tomorrow morning I will do some test as you suggest.

For now I'm sure that the same behavior happens with auto negotiation and hardset (both end of course).

Kind regards

Dear Jitendriya

The situation is

ASA INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)

ASA DMZ 1000 Full (hardset) - Switch 1000 full (hardset)

SERVER INSIDE 1000 Full (hardset) - Switch 1000 full (hardset)

SERVER DMZ 1000 Full (hardset) - Switch 1000 full (hardset)

Copying a 4GB file from Server IN to Server DMZ -> 140Mbps

Copying the same 4GB file from Server DMZ to Server IN -> 250 Mbps (near max firewall throughput)

The firewall is ASA5510 Sec Plus. No deep inspection.

Very strange  behavior.

Kind regards.


Hi,

How are we measuring the speeds here, that is, what kind of tool are you using to measure the speed? Try using iperf and see what kind of transfer speeds it gives.

Also, please post the outputs of show run access-group and show access-list | in element.

If possible, please do attach a sanitized version of your configuration as well.

Regards,

Prapanch

Hi

Thank you, for your support.

Speed tests are executed with iperf.

show run access-group

access-group DADMZ in interface DMZ

access-group DADENTRO in interface INSIDE

access-group DAFUORI in interface OUTSIDE

show access-list | in element

access-list VPN-1; 2 elements; name hash: 0x3662a209

access-list VPN-2; 2 elements; name hash: 0xdcbb3938

access-list VPN-3; 2 elements; name hash: 0x6bd5556

access-list VPN-4; 2 elements; name hash: 0x458a2146

access-list VPN-5; 1 elements; name hash: 0x30802566

access-list NONAT; 7 elements; name hash: 0xf0d9f49a

access-list NONATDMZ; 7 elements; name hash: 0x673e7487

access-list DADENTRO; 4 elements; name hash: 0x8a9004b0

access-list DADMZ; 79 elements; name hash: 0x908eeb50

access-list DAFUORI; 19 elements; name hash: 0x50e21dc4

access-list SPLIT-VPN-IPSEC; 2 elements; name hash: 0x98c75619

access-list SPLIT-VPN-SSL; 2 elements; name hash: 0x9c15e7a6

kind regards

Hi,

Is it possible to bypass the 2 switches in your topology and connect 2 hosts directly to the inisde and DMZ interfaces of the ASA to measure the speeds then? Just trying to localize the problem here.

Regards,

Prapanch

Dear Prapanch Ramamoorthy

I think this is the last point to investigate.

We try to do this during the week end.

I'll contact you againg asap.

Thank you for your support.

Dear fgasimzade

No deep inspection is configured.

Thank you.

Kind regards

I am having a similar problem between the LAN and DMZ on our ASA 5520.  Was this problem ever resolved?  If so, what was the solution?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: