Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
3
Replies

New ASA 5515-X Causing Slowness Between Networks?

Butch_Snyder
Level 1
Level 1

‎11-11-2014 11:00 AM - edited ‎03-11-2019 10:03 PM

We have a lab network (x.x.x.x) that is segregated from our corp network (y.y.y.y) by an ASA 5515-X.  When doing file transfers (anywhere from 80 to 400MB) from x.x.x.x to a server on the y.y.y.y network, it takes a very long time; upwards of 8-9 minutes sometimes.  The path flows as follows:

Server on y.y.y.y network > 3850 stack > 5515-X > 3850 stack > server on x.x.x.x network.

I am wondering if the inspect rules might be causing this.  Nothing in the logs; but packet captures on the ASA show packet retransmits.  Also, ping times are < 2ms and no missed pings.

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎11-12-2014 02:32 AM

Hi,

As you would agree , this would be a long shot but these are some things which you should check:-

1) Check for Interface Errors on the ASA device

2) Do you have any additional Module enabled on the ASA device ?

3) Are there any inspections for this specific traffic on the ASA device ?

4) Try the TCP state Bypass to isolate the ASA TCP state checks causing the issue

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight
In response to Vibhor Amrodia

‎11-12-2014 02:42 AM

I think there is no interface errors because no missed pings

share your config

 

or try to switch off inspection rules

0 Helpful

Butch_Snyder
Level 1
Level 1
In response to Tagir Temirgaliyev

‎11-12-2014 03:01 AM

Here is the current config.  I have removed the IP addresses and replaced them.

den-lab-asa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname den-lab-asa
domain-name intellig.local
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address y.y.y.y/24
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address x.x.x.x/24
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name intellig.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-remote
 subnet y.y.0.0 255.255.0.0
object network obj-local
 subnet x.0.0.0 255.0.0.0
object-group service DNS
 service-object tcp destination eq domain
 service-object udp destination eq domain
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any range bootps bootpc
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 any eq domain
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq domain
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 any eq ftp
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq sip
access-list outside-in extended permit udp y.y.0.0 255.255.0.0 any eq ntp
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 y.m.0.0 255.255.0.0 log
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 y.n.0.0 255.255.0.0 log
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 x.x.x.0 255.255.255.0 eq 8080
access-list outside-in extended permit tcp y.y.0.0 255.255.0.0 x.29.6.0 255.255.255.0 eq 8180
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 x.0.0.0 255.0.0.0 log
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 y.m.0.0 255.240.0.0 log
access-list outside-in extended deny ip y.y.0.0 255.255.0.0 m.m.0.0 255.255.0.0 log
access-list outside-in extended permit ip y.y.0.0 255.255.0.0 any log
pager lines 24
logging enable
logging history debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static obj-local obj-local destination static obj-remote obj-remote
access-group outside-in in interface Outside
route Inside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Inside x.0.0.0 255.0.0.0 x.x.x.x 1
route Outside y.y.0.0 255.255.0.0 y.y.y.y 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
snmp-server host Inside x.x.x.x community *****
snmp-server host Inside x.x.x.x community *****
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh x.0.0.0 255.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcprelay server x.x.x.x Inside
dhcprelay enable Outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect pptp
  inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:gggggggggg
: end
den-lab-asa#

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card