I am running a pair of 6509's with 720 Supervisors and a pair of FWSM's in Active/Standby
In the last two weeks we have been unable to download successfully any files from the internet larger than about 5Mb
Web browsing is fine.
If I connect my laptop outside of the FWSM downloads work fine.
This is not affecting normal service and we are hosting many servers behind the FWSM without an issue.
But these servers are unable to download updates from the internet.
If we point to a proxy (Websense) which sits outside of the FWSM downloads work fine.
I have failed over the firewalls and rebooted both without any progress.
I have also tried the sysopt np completion-unit command without any success.
If I run a packet capture I am seeing a lot of out of order packets and TCP retransmissions, but this is also the same for a capture outside of the FWSM
I have a call running with TAC but just wondered if anyone has seen this kind of issue before, as it is becoming very difficult to poinpoint the cause.
I had this issue once on a 2800 router acting as their firewall. The firewall is having trouble dealing with an excessive amount of fragmented packets. We tried upgrading, but it did not help. ISP said it was not on their side, but eventually the customer saw their truck down at the corner working on something, after that there were no more fragmented packets and no more downloading issues. So I would have a call with your ISP as well, unless you can download large files internally.
It is not an ISP issue, if I connect my laptop outside the FWSM or dirty to the ISP - downloads work fine.
It is only when we go inside the FWSM that they go so slow as they never complete.
Thanks for the reply, but I don't think it is an ISP issue.
Yes, but you stated that the packet capture outside the FWSM module also had the out of order packets and re-transmissions. You could possibly resolve the issue by changing something on the FWSM, but I think the root of you problem would not be solved.
I don't know of any commands that will help with fragmentation on the ASA so I won't be much help there.
It is an interesting issue, the download suceeds outside the FWSM - I have contacted the ISP and they just say the link has been up for 36 weeks.
Not much help really
Yeah they won't be, it was the same issue with me even when I provided them packet captures of my laptop directly connected to the modem with the out of order packets. I agree it is definitely something in the FWSM that is killing the download. When I had my laptop connected to the modem large downloads completed fine, but I was not being firewalled and windows was able to handle the fragmentation.
If TAC comes back with a command to help the issue I would be interested in knowing it.
have you resolved the issue yet ?
Are you running any url-server (websense etch..) in your setup ?
if so, are you able to download on different port than 80/443 ?