04-28-2014 07:19 AM - edited 03-11-2019 09:07 PM
I am running a pair of 6509's with 720 Supervisors and a pair of FWSM's in Active/Standby
In the last two weeks we have been unable to download successfully any files from the internet larger than about 5Mb
Web browsing is fine.
If I connect my laptop outside of the FWSM downloads work fine.
This is not affecting normal service and we are hosting many servers behind the FWSM without an issue.
But these servers are unable to download updates from the internet.
If we point to a proxy (Websense) which sits outside of the FWSM downloads work fine.
I have failed over the firewalls and rebooted both without any progress.
I have also tried the sysopt np completion-unit command without any success.
If I run a packet capture I am seeing a lot of out of order packets and TCP retransmissions, but this is also the same for a capture outside of the FWSM
I have a call running with TAC but just wondered if anyone has seen this kind of issue before, as it is becoming very difficult to poinpoint the cause.
04-28-2014 07:41 AM
I had this issue once on a 2800 router acting as their firewall. The firewall is having trouble dealing with an excessive amount of fragmented packets. We tried upgrading, but it did not help. ISP said it was not on their side, but eventually the customer saw their truck down at the corner working on something, after that there were no more fragmented packets and no more downloading issues. So I would have a call with your ISP as well, unless you can download large files internally.
04-28-2014 07:49 AM
It is not an ISP issue, if I connect my laptop outside the FWSM or dirty to the ISP - downloads work fine.
It is only when we go inside the FWSM that they go so slow as they never complete.
Thanks for the reply, but I don't think it is an ISP issue.
04-28-2014 07:57 AM
Yes, but you stated that the packet capture outside the FWSM module also had the out of order packets and re-transmissions. You could possibly resolve the issue by changing something on the FWSM, but I think the root of you problem would not be solved.
I don't know of any commands that will help with fragmentation on the ASA so I won't be much help there.
04-28-2014 08:01 AM
It is an interesting issue, the download suceeds outside the FWSM - I have contacted the ISP and they just say the link has been up for 36 weeks.
Not much help really
04-28-2014 08:07 AM
Yeah they won't be, it was the same issue with me even when I provided them packet captures of my laptop directly connected to the modem with the out of order packets. I agree it is definitely something in the FWSM that is killing the download. When I had my laptop connected to the modem large downloads completed fine, but I was not being firewalled and windows was able to handle the fragmentation.
If TAC comes back with a command to help the issue I would be interested in knowing it.
05-12-2014 02:17 AM
have you resolved the issue yet ?
Are you running any url-server (websense etch..) in your setup ?
if so, are you able to download on different port than 80/443 ?
01-29-2019 03:40 PM
ı have same problem. how did you fix problem?
FWSM Firewall Version 4.1(15)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: