cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1583
Views
4
Helpful
20
Replies

Iperf test through ASA

AirSail
Level 1
Level 1

Hello Folks, 

I have a pair of ASA5516 with HA mode, ISP provides a high-speed WAN 500Mbps up/download, 

while doing some speed tests recently we noticed that all our tests from the inside network are not bypassing 100mbps, 

I checked all inside/outside interfaces "show run inter x/y" and all are showing 1G negotiation, I checked also all interfaces going all the way to the terminals and also to the ISP router. ALL SHOWING 1G negotiation, 

to dig deeper, I moved onsite I spoke to ISP to set an Iperf server in his side and give us the pubic IP, 

and I set Iperf client on my PC, 
* disconnect the outside interface and connect it to my PC (set public IP on my PC) I'm getting full WAN speed, 

* disconnect inside interface and connect it to my PC (set an IP address LAN) I'm getting 100Mbps 

I'm confused here, there is no bandwidth cap on my configuration,   

ASA Gurus, need your assistance? 

 

 

 

20 Replies 20

Show interface IN/OUT <- share the show interface of both in and out interface 

Are asa use pppoe with ISP?

MHM

no pppoe setup in the ASA fo internet connection 

will share that as soon as get access to the ASA 

@MHM Cisco World here you go 

 show interface inside
Interface GigabitEthernet1/2 "inside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address f80b.cbc4.b727, MTU 1500
IP address ----------, subnet mask ------------
7700798351 packets input, 5786718525856 bytes, 0 no buffer
Received 71406311 broadcasts, 0 runts, 0 giants
304 input errors, 0 CRC, 304 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
5786834857 packets output, 3959138579284 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 24 output reset drops
input queue (blocks free curr/low): hardware (1971/1819)
output queue (blocks free curr/low): hardware (2047/1606)
Traffic Statistics for "inside":
7061788943 packets input, 5658458772219 bytes
5786834857 packets output, 3852074986797 bytes
68356019 packets dropped
1 minute input rate 7877 pkts/sec, 7548226 bytes/sec
1 minute output rate 5694 pkts/sec, 3754264 bytes/sec
1 minute drop rate, 10 pkts/sec
5 minute input rate 7365 pkts/sec, 6673943 bytes/sec
5 minute output rate 6282 pkts/sec, 4110732 bytes/sec
5 minute drop rate, 12 pkts/sec


 show interface outside
Interface GigabitEthernet1/1 "outside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address f80b.cbc4.b726, MTU 1500
IP address ---------, subnet mask -----------
5734447821 packets input, 4160222411621 bytes, 0 no buffer
Received 30835512 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
6697368727 packets output, 5676416488542 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (2019/1819)
output queue (blocks free curr/low): hardware (2047/1699)
Traffic Statistics for "outside":
5706615466 packets input, 4056768933014 bytes
6697368727 packets output, 5555512002686 bytes
43919763 packets dropped
1 minute input rate 5645 pkts/sec, 4116990 bytes/sec
1 minute output rate 7238 pkts/sec, 7048921 bytes/sec
1 minute drop rate, 72 pkts/sec
5 minute input rate 6245 pkts/sec, 4425410 bytes/sec
5 minute output rate 7280 pkts/sec, 6804177 bytes/sec
5 minute drop rate, 26 pkts/sec

68356019 packets dropped

This huge drop and interface is full-duplex and overrun counter is zero

So 

Show asp drop

Do this two or three times 

Check which drop is increasing rapidly

Share the asp drop here if you can

I think tcp out of order make this issue' but let check that 

MHM

@MHM Cisco World Attached, 
do you think a packet drop may limit the through put ? 
comparing show inter out/in from yesterday and today, it showing a very few drops 

VPN conflict <<- why there are high VPN conflict? how many VPN you run 
FW L2 ACL <<- this need to check if you run router mode then there is no L2 ACL I will more check this point  
QoS drop <<-
show service-policy police 
show service-policy shape
show priority-queue statis OUT

share above 

MHM
 

@MHM Cisco World - man I think you chased something important here, 

#show service-policy police

Interface outside:
Service-policy: <NAME HERE>
Class-map: bandwidth
Input police Interface outside:
cir 100000000 bps, bc 50000 bytes
conformed 12029323552 packets, 9018979062185 bytes; actions: transmit
exceeded 3492948 packets, 4926824082 bytes; actions: drop
conformed 50560648 bps, exceed 18760 bps
Output police Interface outside:
cir 100000000 bps, bc 50000 bytes
conformed 13984694007 packets, 11943019308317 bytes; actions: transmit
exceeded 15878951 packets, 23058164314 bytes; actions: drop
conformed 58548416 bps, exceed 30976 bps

that CIR 100000000 bps could be the root cause? 

It sure can be the issue here'

Do test again and monitor the drop

MHM

@MHM Cisco World  what could be the reason behind placing this bandwidth limit in the outside interface? protecting from burst traffic? what do you think?  

to remove the bandwidth should I do only the below: #NO service-policy <NAME HERE> interface outside
nothing else will be impacted?

Sorry I take some times

QoS max value is 100 mbps

So I think you can not modify it also it not good idea to remove it' it protect FW from high rate traffic (it drop some)

So I am sorry I dont have suggestion here' open TAC or open new post asking the solution of low BW of FW.

Thanks for waiting 

MHM

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/quality_of_service__qos__for_firepower_threat_defense.html

hey @MHM Cisco World 
I am a bit confused here, thw bandwidth limit applied has nothing to do with QOS , right?

BW limit applied is 100mbps and we can increase it, to 900mbps for instance, why we can't? 

 

QoS is shaped the traffic anything above the 100 Mbps is drop

sorry again I dont have answer for whatever you can increase shaped to 900 or not and it effect to FW.

MHM

balaji.bandi
Hall of Fame
Hall of Fame

is the ASA just simple config or any IPSec , what other function handling by ASA

how about you iperf test inside and outside of ASA only ?

what ASA code running ?

some troubleshoot tips :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

this ASA is used mainly as a VPN concentrator so we use a lot of IPSEC termination 

test inside the network is fine, 1000Gbps is all around 

test outside while keeping ASA behind us is fine we can hit the 1G 

iperf client in the inside and iperf server at the ISP side(outside) is showing a cap of 100mbps. 

code is ASA 9.12 

Review Cisco Networking for a $25 gift card