Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
3
Replies

Slow SFTP throughput when passed through ASA 55xx

Don Maker
Level 1
Level 1

‎03-27-2015 01:07 PM - edited ‎03-11-2019 10:42 PM

I have an interesting scenario. I have setup two test boxes for SFTP.  One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s.  I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520. 

 

So, it seems the only limiting factor here is the ASA.  Does anyone have any observations or suggestions that might help?

 

Thanks!

 

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-29-2015 11:01 AM

Hi Don,

I am not sure i follow the test. You said you get the slow speed even to the machine connected to  the external switch where ASA is not coming into the picture??

A quick packet capture can be taken to see if the ASA is delaying the traffic. Are you sure there is no other device in path restricting the speed for SFTP?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Don Maker
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-30-2015 05:58 AM

Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.

 

I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7

 

 

0 Helpful

Don Maker
Level 1
Level 1
In response to Don Maker

‎03-30-2015 11:00 AM

Comparing a Wireshark cap of both inside the firewall and outside the firewall shows many, many TCP Retransmissions, TCP Dup ACK . See below:

 

 

Here is a capture of a portion of an SFTP transfer through the firewall.

 

externalcap.zip
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card