Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
2
Replies

Slow inbound http, fast outbound http - ASA5510

Go to solution
mjacobsecaq
Level 1
Level 1

‎12-05-2010 10:43 PM - edited ‎03-11-2019 12:18 PM

Hiyas,

We recently purchased an ASA 5510 and i'm having a slight problem configuring it.

When I enable the following (just default traffic inspection), download speed drops to ~ 3Mb/s from > 10Mb/s.

class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ctiqbe
  inspect rsh
  inspect esmtp
  inspect h323 ras
  inspect ftp
  inspect http
  inspect sip
  inspect icmp error
  inspect xdmcp
  inspect h323 h225
  inspect netbios
  inspect icmp
  inspect ils
  inspect rtsp
  inspect skinny
  inspect tftp
  inspect sqlnet
  inspect pptp
  inspect dns
  inspect mgcp
  inspect sunrpc
  inspect snmp
!
service-policy global-policy global

Only HTTP traffic is affected, FTP still goes at the full 10Mb/s up and !0MB/s down.

When I disable the above service policy rule, everything goes fast again.

If anyone can help or provide any insight here it would be greatly appreciated.

Thanks,

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-05-2010 10:57 PM

When you enable the inspection for HTTP, that will slow down the HTTP traffic a little because it is performing deep packet inspection for HTTP traffic.

For more details on what "inspect http" does, please check the following command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

You can temporarily disable only the HTTP inspection from the global policy map as follows:

policy-map global-policy

     class global-class

          no inspect http

The above will disable just the HTTP inspection, and you can check the speed.

For more security, you would need to enable the http inspection, however, with security as it needs to inspect the packet in more details, it will impact the performance/speed.

Hope that answers your question.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-05-2010 10:57 PM

When you enable the inspection for HTTP, that will slow down the HTTP traffic a little because it is performing deep packet inspection for HTTP traffic.

For more details on what "inspect http" does, please check the following command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735782

You can temporarily disable only the HTTP inspection from the global policy map as follows:

policy-map global-policy

     class global-class

          no inspect http

The above will disable just the HTTP inspection, and you can check the speed.

For more security, you would need to enable the http inspection, however, with security as it needs to inspect the packet in more details, it will impact the performance/speed.

Hope that answers your question.

0 Helpful

Go to solution
mjacobsecaq
Level 1
Level 1
In response to Jennifer Halim

‎12-08-2010 10:46 PM

Thanks for your answer Jennifer.

I assumed this would be the case, but a 70% reduction in throughput just seemed a little high to me.

Thanks again,

Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card