cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4882
Views
0
Helpful
10
Replies

low internet speeds on cisco 2960 behind asa5510

nevyana
Level 1
Level 1

hi,

users behind asa5510 on both vlans10 and 20 have slow internet speeds (2Mbps down/170kbps up). carrier provides 13Mbps down/5mbps up and speed tests on another port on the asa 9Mbps/5mbps. There is no speed/duplex mismatch on the switch (cisco 2960) that asa port is connected to. what else could possible cause that ? cisco 2960 is in vtp transparent mode. mtu on both vlans is matched.

thanks

1 Accepted Solution

Accepted Solutions

Hello,

Perfect,. the problem was the duplex mismatch on the outside interface,

Glad you are going to keep this configuration

If you do not have any other question please mark the question as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

So you are seeing the speed issues just on interface 0/1 and ofcourse its sub-interfaces.

Please provide the following:

Show interface | include errors

Show interface fastethernet 0/1

As you already checked as it works on a different and dedicated port on the ASA this could be happening because of two things:

1-The amount of traffic received on interface 0/1 is greater than the one the ASA can support

2-Issues on the LAN side ( switches)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

asa# sh int | include errors

194815 input errors, 194815 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 2 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 1 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 4 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 4 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

asa# sh int e0/1

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Input flow control is unsupported, output flow control is off

Available but not configured via nameif

MAC address f0f7.55f3.2ddb, MTU not set

IP address unassigned

16573970 packets input, 2161738772 bytes, 0 no buffer

Received 231352 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

18086894 packets output, 8585727976 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 1 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops, 0 tx hangs

input queue (blocks free curr/low): hardware (255/230)

output queue (blocks free curr/low): hardware (255/230)

asa# sh int e0/1.10

Interface Ethernet0/1.10 "inside1", is up, line protocol is up

# Attention: This interface is located in a PCI-e x0 slot. For #

# optimal throughput, install the interface in a PCI-e x16 slot #

# if one is available. Refer to 'show controller slot'.        #

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

VLAN identifier 10

Description: CONNECTION TO INSIDE PCs

MAC address f0f7.55f3.2ddb, MTU 1500

IP address 192.168.1.3, subnet mask 255.255.255.0

  Traffic Statistics for "inside1":

15930094 packets input, 1489532514 bytes

17415119 packets output, 7694926229 bytes

10030657 packets dropped

asa# sh int e0/1.10      20

Interface Ethernet0/1.20 "inside2", is up, line protocol is up

# Attention: This interface is located in a PCI-e x0 slot. For #

# optimal throughput, install the interface in a PCI-e x16 slot #

# if one is available. Refer to 'show controller slot'.        #

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

VLAN identifier 20

Description: CONNECTION TO INSIDE SERVERS

MAC address f0f7.55f3.2ddb, MTU 1500

IP address 192.168.2.3, subnet mask 255.255.255.0

  Traffic Statistics for "inside2":

644215 packets input, 290057701 bytes

672642 packets output, 490711008 bytes

4994 packets dropped

Hello,

This is not good at all:

194815 input errors, 194815 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

Make sure the ISP people has their interface hardcoded as yours ( interface ethernet 0/0)

After doing that please do the following:

clear interface

And then after 5 minutes provide me the following command:

-show interface | include errors

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

asa# sh int | include error

106 input errors, 106 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 output errors, 0 collisions, 0 interface resets

Hello,

Same behavior, can you change the cable connection to the modem, clear the interface again and wait five minutes.

Then provide us the same output,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

kcarter
Level 1
Level 1

Was this resolved? It's very close to a problem I have now.

hi, I had to wait until the weekend to work on this. I set the settings on the asa port towards the provider from duplex full to duplex auto, that cleared the CRC errors. Modified the configuration, added another 5-port cisco switch and removed the two vlans on port 0/1. Internet speed is improved. Graphing the users LAN did not show any excessive traffic. CPU and mem utilization is the same. Policies are the same. Not sure what was going on.

Hello Nevyana,

Are you still having latency issues, I can see it improved!

What is behind the inside interface of the ASA? how many switches or layer 3 devices are there?

Let us know so we can help you on this,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you so much, speed is improved and planning to keep this configuration. I cannot explain why the issue on the original configuration. There is one cisco 2960 connected to the LAN. Here's the configuration it had:

logging buffered 5000 informational

!

no aaa new-model

system mtu routing 1500

vtp mode transparent

ip subnet-zero

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10,20,301

!

!

interface FastEthernet0/1

switchport trunk allowed vlan 10,20

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/2

shutdown

speed 100

duplex full

!

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/45

description 510 SERVER

switchport access vlan 20

speed 100

duplex full

!

interface FastEthernet0/46

description 290 SERVER

switchport access vlan 20

speed 100

duplex full

!

interface FastEthernet0/47

!

interface FastEthernet0/48

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan10

description PCs

no ip address

no ip route-cache

!

interface Vlan20

description SERVERS

no ip address

no ip route-cache

!

ip http server

ip http secure-server

!

control-plane

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

Hello,

Perfect,. the problem was the duplex mismatch on the outside interface,

Glad you are going to keep this configuration

If you do not have any other question please mark the question as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: