Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

gp1200x · ‎01-16-2015

I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.

I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads???? Anyone else seeing these problems? If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.

I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.

Is anyone else seeing this performance problem with the 9.2.3 code? I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.

My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached.

Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

gp1200x · ‎01-16-2015

issue resolved....problem is the Netgear Gb switch. Appears to be degrading performance...replaced with a Cisco 3750X and problems disappeared!! This is not the first time I have had issues with Cisco ASA and other vendors equipment. Similar problems with cable modems attached to Cisco ASA firewalls.

No errors recorded on any port on both devices!

gp1200x · ‎01-28-2015

Here is an interesting observation.

When I replaced the Netgear with a 3750X configured with QOS (one that I normally use on our network - but only slightly modified for this test) I found that I was consistently getting 80-85 DOWN and 93-95 UP. Never was able to reach 90-95 download.

I put in an older 3750G (no QOS and setup for permanent installation for this connection with no frills in the config on the switch) and I found that I consistently reached 93-95 BOTH DOWN AND UP. It seems my QOS settings on the 3750X test switch gave improved performance over the Netgear but the QOS seemed to cost me a performance hit even though there was no voice or video etc. Maybe just the QOS settings on the interfaces puts a 10% hit on the data throughout. I don't know what else it would be since there are no interface or cable errors and the results are consistent every time I run the tests on the switches.

Thanks for all the help! With the 3750G and a basic config on the interfaces I am getting the max performance that the ASA can deliver on 100FD interfaces.

nspasov · ‎01-28-2015

Hmm that is interesting but it is also possible that QoS can make things worse if not configured in optimal fashion. For instance, the 3750s have a very small buffer which is "sliced" among different queues once QoS is enabled. If the queues fill up and there isn't enough buffer space then you will start getting tail drops.

Also, if let's say you are getting 100Mb connection but it is handed off to you via 1Gb port then without traffic shaping to "normalize/smooth" the traffic you will also hit issues.

Anyways, glad you solved your issue and thank you for coming back to post the solution (+5) form me.

Now, since your issue is resolved, you should mark the thread as "answered" :)

Thank you for rating helpful posts!

nspasov · ‎01-16-2015

Can you post your config here (feel free to blackout sensitive info). Also, keep in mind that the max throughput on a 5505 is 150Mbps. Also, the interfaces on it are only 100Mb Ethernet so 95Mb is probably as good as it will go on one interface :) With that being said, you should be able to get similar speeds on downloads. However, do keep in mind that the 150Mb max throughput is for all interfaces combined together and not per interface/direction, etc. Thus, if you had a 95Mb upload going through while another session was doing a 50Mb download then you would be maxing out the device :o

show traffic

Is a good command to monitor the traffic going through your ASA. Alternatively, you can download CactiEZ or PRTG and monitor it that way.

Thank you for rating helpful posts!

gp1200x · ‎01-18-2015

After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.

I get much better results using the Cisco 3750X attached to the FIOS (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300). Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds. Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.

I may have to live with it but the inconsistency is what really bothers me.

Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.

Anything obviously missing - new command or anything? Xlates causing issues?

.

nspasov · ‎01-26-2015

Hmm, I don't see anything unusual with the config. Have checked if:

1. The interface on both the ASA and uplink/downlink device are running in 100Mb/Full Duplex

2. There are any errors/collisions/etc on either the ASA or uplink/downlink device ports

3. Tried turning off inspection of HTTP

Thank you for rating helpful posts!