cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6903
Views
15
Helpful
9
Replies

Slow upload speeds to Internet behind an ASA 5520

harinirina
Level 1
Level 1

Hello,

Our internet connection is connected to an ASA. The download speed is ok but the upload is very slow.

we have been running some speed test from our LAN, and have been also trying to upload/download file.

Our ASA also have the IPS module.

I turned this off but we've got the same result.

I send here attach the configuration file of the ASA.

Does anybody have any suggestions to what the problem may be?

Regards

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

What do you mean by turned off the module?

Also have you done any captures on the ASA.

You can create 2 captures (inside, outside) and then open them on wireshark and check how much time takes for the asa to receive the packet on one interface and send it on the other interface,

Configuration looks simple enough to be working good

Rate all the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Thanks for the reply.

by turned off the module, i mean the bypass mode is on, and we also tried to remove the policy applied.

we will try to capture the traffic and let you know.

Thanks

Hi,

it seems it doen't take too much time takes for the asa to receive the packet on one interface and send it on the other interface. the bypass mode on the IPS is enabled.

what would you suggest us to check next?

Hello,

You are right on the capture looks like there is no problem with the time but it is importan to remark that on the captures I can notice that the returning traffic ( Reply from the ftp server to your client) is taking really long.  Please check that as you could see on the captures our host reply inmediatly but the Server do takes it's time.

Also can you remove the class-map from the ASA ( the one related from the IPS) and do a clear local-host and then give it a try

Finally provide us the output of the following
-Show interface | include error

-Show cpu

Remember to rate all the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

We have removed the class-map for IPS and have done a clear local-host.

We have also changed the duplex (from Auto to full) and speed (from Auto to 100Mbps) on the outside interface.

it seemed the duplex we 've got was half when it was configured as Auto. We've asked our ISP to change in their side to full, but we've got half instead.

We did an upload test after those actions, the speed we got is 300KBps, it should be 8Mbps (download and upload).

when we send many upload at a same time, we can see from our monitoring tool that the bandwidth used is 8Mb.

We wonder we cannot get high speed when uploading a single file, the max speed is 300KBps.

Please, find below the output of

sh int | inc error

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 1 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 1 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 1 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 2710 collisions, 3 interface resets

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 output errors, 0 collisions, 0 interface resets

the 2710 collisions is on the outside interface (i think it was before changing duplex)

sh cpu

CPU utilization for 5 seconds = 2%; 1 minute: 1%; 5 minutes: 1%

when we plug a computer directly to the ISP device (IDU), the speed is high (about 650KBps).

what would you suggest us to do? (sure, we will rate all the helpful posts )

Hello,

That is correct, the collisions are because of the half-duplex setting.

Cpu is perfect.

" We've asked our ISP to change in their side to full, but we've got half instead"

That is what I do not like you will need to confirm they hardcode their site to full-duplex as if you leave it like this then one of the endpoints ( the one on full duplex) will be able to talk whenever he wants and the other side( half-duplex) will do it only when the other side stops and that will be almost never if the other one is full duplex.

So please change that, afterwards we will keep troubleshooting this,

Let me know what they say

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

The duplex  and speed  were changed, we hardcoded it to full/100Mbps.

The upload speed is higher (now : 300KBps - before : 50KBps) , it should be 8Mbps (download and upload).

When sending only one file, the max speed we can get is 300KBps.

We can see from our monitoring tool that the bandwidth used is 8Mb only when we send many upload at the same time.

We wonder we cannot get high speed when uploading a single file, the max speed is 300KBps.

There is no problem with download.

What would you suggest us next ?

Hello,

I would do the following test:

-Connect a single PC to an interface ( Inside or DMZ) of the ASA, so it will be directly connected and then run the test.

We need to make sure it is a problem with the ASA and not with the internal network.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for your reply. Unfortunately, the connection is used all the time and we cannot unplug it.

What we did was, we pluggled a single pc to a dmz, but the LAN is also connected to the inside, and we got the same result.

we will do the test with only one pc when we can disconnect the LAN from the ASA.

in the meantime, is there any test you suggest to do?

Review Cisco Networking for a $25 gift card