11-11-2014 11:00 AM - edited 03-11-2019 10:03 PM
We have a lab network (x.x.x.x) that is segregated from our corp network (y.y.y.y) by an ASA 5515-X. When doing file transfers (anywhere from 80 to 400MB) from x.x.x.x to a server on the y.y.y.y network, it takes a very long time; upwards of 8-9 minutes sometimes. The path flows as follows:
Server on y.y.y.y network > 3850 stack > 5515-X > 3850 stack > server on x.x.x.x network.
I am wondering if the inspect rules might be causing this. Nothing in the logs; but packet captures on the ASA show packet retransmits. Also, ping times are < 2ms and no missed pings.
11-12-2014 02:32 AM
Hi,
As you would agree , this would be a long shot but these are some things which you should check:-
1) Check for Interface Errors on the ASA device
2) Do you have any additional Module enabled on the ASA device ?
3) Are there any inspections for this specific traffic on the ASA device ?
4) Try the TCP state Bypass to isolate the ASA TCP state checks causing the issue
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
Thanks and Regards,
Vibhor Amrodia
11-12-2014 02:42 AM
I think there is no interface errors because no missed pings
share your config
or try to switch off inspection rules
11-12-2014 03:01 AM
Here is the current config. I have removed the IP addresses and replaced them.
den-lab-asa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname den-lab-asa
domain-name intellig.local
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address y.y.y.y/24
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address x.x.x.x/24
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name intellig.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-remote
subnet y.y.0.0 255.255.0.0
object network obj-local
subnet x.0.0.0 255.0.0.0
object-group service DNS
service-object tcp destination eq domain
service-object udp destination eq domain
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any range bootps bootpc
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 any eq domain
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq domain
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 any eq ftp
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq sip
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq ntp
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 y.m.0.0 255.255.0.0 log
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 y.n.0.0 255.255.0.0 log
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 x.x.x.0 255.255.255.0 eq 8080
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 x.29.6.0 255.255.255.0 eq 8180
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 x.0.0.0 255.0.0.0 log
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 y.m.0.0 255.240.0.0 log
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 m.m.0.0 255.255.0.0 log
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 any log
pager lines 24
logging enable
logging history debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static obj-local obj-local destination static obj-remote obj-remote
access-group outside-in in interface Outside
route Inside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside x.0.0.0 255.0.0.0 x.x.x.x 1
route Outside y.y.0.0 255.255.0.0 y.y.y.y 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
snmp-server host Inside x.x.x.x community *****
snmp-server host Inside x.x.x.x community *****
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh x.0.0.0 255.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcprelay server x.x.x.x Inside
dhcprelay enable Outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:gggggggggg
: end
den-lab-asa#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide