02-16-2011 03:08 PM - edited 03-11-2019 12:51 PM
We recently got a 10 meg dedicated internet fiber connection installed. I connected it to a PIX 501 firewall and everything worked fine (I tested it for a couple of weeks). A couple of days ago I got a new ASA 5505 and replaced the PIX with this device. It works, but every so often there seems to be a timeout when surfing the web whereby I click on a link and there is up to a 45 second wait and then the page loads quickly. I was not getting this before on the PIX so I'm assuming it's not a latency issue with the connection. I am the only one using this connection on the network so it's not to say that it's being bogged down. It's driving me crazy! I want to roll this out to the other users on the network but not when this is happening. Can someone point me in the right direction? The configuration is below:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name mycompany.com
enable password tdkuTUSh53d2MT6B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.26.0.252 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address zz.xx.yyy.253 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mycompany.com
access-list MC_Split_Tunnel_List remark The corporate network behind the ASA
access-list MC_Split_Tunnel_List standard permit 172.26.0.0 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any eq 4500
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any host zz.xx.yyy.251 eq ftp
access-list inside_outbound_nat0_acl extended permit ip any 172.26.5.192 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN_POOL 172.26.6.1-172.26.6.100 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) zz.xx.yyy.251 172.26.5.9 netmask 255.255.255.255
static (inside,outside) zz.xx.yyy.244 172.26.0.136 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 zz.xx.yyy.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.26.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy VPNPOL1 internal
group-policy VPNPOL1 attributes
dns-server value 172.26.0.250 172.26.0.251
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MC_Split_Tunnel_List
address-pools value VPN_POOL
username bjulien password bhKBinDUWhYqGbP4 encrypted
username bjulien attributes
vpn-group-policy VPNPOL1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ed6fd7d8535120634dfb59217a295c26
: end
Solved! Go to Solution.
02-17-2011 06:41 PM
Your asa interface e0/0 shows half duplex that seems to be your issue.
You can change it using the following commans:
int e0/0
duplex full
speed 100
The device that you have connected to this interface should also have the same settings.
Sent from Cisco Technical Support iPhone App
02-16-2011 06:33 PM
How are your interfaces settings? 100 full?
Try disabling threat detection using the command:
no threat-detection basic-threat
that might be causing some issues. If you don't want to disable it completely just remove the following lines:
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
Sent from Cisco Technical Support iPhone App
02-17-2011 07:29 AM
All interfaces are set to auto.
I disabled the threat detection. Let me see if that helps. Thanks!
02-17-2011 08:05 AM
ok, set to auto but what are the setting negotiated? do a show interface and check the physical interfaces.
Let me know how things work.
02-17-2011 12:33 PM
The show interface output is below. I disabled threat detection and the the connection was working well for the past few hours until about 5 minutes ago, when the timing out delays started once again. I would gladly go back to the PIX, however, it only has a 10 user license and internet connectivity through the PIX seems to be a little slower than the ASA 5505 which has an unlimited user license. I bought a 50 user upgrade for the PIX but when I tried to activate it online, it says it cannot find the PIX serial number. I called Cisco Support, and they were able to find the serial in their records but the activation still said cannot find the serial number. Cisco Licensing Support is now handling the support case. Even when I am able to finally upgrade the user licenses on the PIX, I am hesitant to use it because of the slowness. I really need the ASA to work. Thanks for all your help.
SHOW INTERFACE OUTPUT
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 000000000, MTU 1500
IP address 172.26.0.252, subnet mask 255.255.0.0
Traffic Statistics for "inside":
32874148 packets input, 42566284217 bytes
17716087 packets output, 2130191314 bytes
717349 packets dropped
1 minute input rate 13 pkts/sec, 1251 bytes/sec
1 minute output rate 14 pkts/sec, 3006 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 342 pkts/sec, 473414 bytes/sec
5 minute output rate 188 pkts/sec, 8879 bytes/sec
5 minute drop rate, 2 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 00000000, MTU 1500
IP address zz.xx.yyy.aaa, subnet mask 255.255.255.240
Traffic Statistics for "outside":
17631945 packets input, 2088968709 bytes
30773743 packets output, 42375079649 bytes
2331 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 63 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 188 pkts/sec, 8879 bytes/sec
5 minute output rate 337 pkts/sec, 472819 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 0000000, MTU not set
IP address unassigned
17635405 packets input, 2490698444 bytes, 0 no buffer
Received 4495 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
2518 switch ingress policy drops
30754836 packets output, 42922459626 bytes, 0 underruns
403173 output errors, 317098 collisions, 0 interface resets
0 late collisions, 16506 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 0000000, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 0000000, MTU not set
IP address unassigned
1391268 packets input, 171193162 bytes, 0 no buffer
Received 1140677 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
47420 packets output, 40507712 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 00000000, MTU not set
IP address unassigned
31294332 packets input, 42661930417 bytes, 0 no buffer
Received 755120 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
17359091 packets output, 2338880870 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/4 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 000000000, MTU not set
IP address unassigned
551810 packets input, 396891089 bytes, 0 no buffer
Received 148561 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
296211 packets output, 147710772 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 000000000, MTU not set
IP address unassigned
16173 packets input, 1782898 bytes, 0 no buffer
Received 3944 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
17263 packets output, 7730039 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 000000000, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 00000000, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
02-17-2011 01:27 PM
I connected back the PIX and everything is working again with no timeout delays. The speed is fine so it was perhaps my imagination about its slower speed compared to the ASA 5505. In any case, I want to continue to troubleshoot the ASA to figure out what's causing the delays.
02-17-2011 06:41 PM
Your asa interface e0/0 shows half duplex that seems to be your issue.
You can change it using the following commans:
int e0/0
duplex full
speed 100
The device that you have connected to this interface should also have the same settings.
Sent from Cisco Technical Support iPhone App
02-18-2011 06:49 AM
Ok, I'll make the changes and do additional testing. thanks!
02-28-2011 10:48 AM
That did it! Thanks a bunch!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide