Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2093
Views
0
Helpful
3
Replies

Intermittent Latency and Packet Loss Only for Traffic Traversing Zones Through ASA 5520

Dean Romanelli
Level 4
Level 4

‎06-17-2016 10:51 AM - edited ‎03-12-2019 12:54 AM

Hi All,

I am having a serious and puzzling issue where my core ASA in the data center, which all of my branch sites come through to get internet, will intermittently cause all traffic flowing through it in an inter-zone fashion (i.e. inside-to-outside, inside-to-DMZ, DMZ-to-inside, etc...) to experience packet loss and high latency (500ms on average).  I am sat physically at the data center, and even from my PC, which is a 1ms single hop away from the ASA reports 500ms latency when I try to ping the ISP gateway through my ASA.  However, if I ping the ASA interface my PC faces (the inside interface IP on the ASA), pings are fine at 1ms, no packet loss.  If I logon to the ASA itself and I ping something on the inside, something in the DMZ, and the very same ISP gateway IP address connected to the outside interface of my ASA, latency is fine, and no packet loss.

Due to these findings, I am theorizing that the ASA is having a problem when the traffic needs to traverse zones (i.e. inside-to-outside).  That would explain why I can ping the inside interface of the ASA from my PC and not receive any packet loss, as well as why I can ping something in the Outside, Inside and DMZ zones while sitting on the ASA, pinging from it, and experience no packet loss; Because those ping responses don't require the ASA to traverse zones, whereas any other ping scenario I tried had to go through the ASA (i.e. My inside PC to the ISP router) to reach their destinations and subsequent latency and packet loss was witnessed.  

I've attached a diagram that shows everything and also provides all scenarios I've tested and their results.  If anyone can provide any insights into what this issue could be and how to go about troubleshooting it, that would be most appreciated, as there is nothing jumping out at me in the logs or the interfaces.  Thanks.

Labels:
Preview file
217 KB
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-17-2016 10:16 PM

What software version are you running?

Are these all "normal" interfaces, or are they Port-channel or Redundancy interfaces?

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Philip D'Ath

‎06-22-2016 02:28 PM

Hi Philip,

asa842-k8.

Normal gigabit interfaces.  Inside, Outside, DMZ.

0 Helpful

Kornelia Gutierrez
Level 1
Level 1
In response to Dean Romanelli

‎06-24-2016 12:50 PM

Hello Dean,

I hope you are fine, could you try to directly connect a computer to one of the ASA interfaces if there is one available, I mean connect directly the port of the pc to a port of the ASA (no switch or whatsoever device in between), configure that free interface on the ASA give it a name, an ip, a security level, build a nat and from the computer do the ping.

Also please place captures on both inside and outside interface capturing the pings that are having latency check the timestamps of the packets in both captures to check if latency is seen when the packets leaves the outside interface.

Capture example

In the inside

Cap inside interface inside trace match icmp host 192.168.3.2 host 12.x.x.17

On the outside

Capture outside interface outside trace match host x.x.x.x host 12.x.x.17

Where

x.x.x.x is the ip address that 192.168.3.2 uses on the public side  to go out

If possible kindly please attach a show tech but please remove passwords and any sensitive data.

Best regards,

Kornelia Gutierrez 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card