cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2962
Views
0
Helpful
2
Replies

Slow upload speeds with a Cisco ASA 5516

jyingling
Level 1
Level 1

Hello,

We have a Cisco Firewall ASA 5516. We also have a 1GB up/down internet circuit. Behind the firewall we do not receive asymmetrical speeds. We receive Approx 900 down and 50 up. In front of the firewall we receive 900up/900down consistently. We are not using an IPS or Firepower. I have checked my duplex settings on the firewall and on my core switch. Everything is set to Auto/Auto. I contacted my ISP and the interface on their router is set to Auto/Auto. 

Below are the results of my show run policy map. I understand that one of our policies names say "MY IPS". We are not using IPS. 

 sho run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
description My_IPS
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect http
inspect snmp
class tcp_bypass
set connection advanced-options tcp-state-bypass
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rtsp
inspect snmp
inspect tftp
inspect mgcp
inspect netbios
inspect sip

 

Here is the result of a sho asp drop command

IPSEC tunnel is down (ipsec-tun-down) 66
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 35
SVC Module does not have a session (mp-svc-no-session) 31
SVC Module is in flow control (mp-svc-flow-control) 24
SVC Module unable to fragment packet (mp-svc-no-fragment) 1
Invalid TCP Length (invalid-tcp-hdr-length) 2
No valid adjacency (no-adjacency) 36647
Unexpected packet (unexpected-packet) 27
No route to host (no-route) 8955
Flow is denied by configured rule (acl-drop) 4915330
No same-security-traffic configured (no-same-security-traffic) 12700
Invalid SPI (np-sp-invalid-spi) 149
First TCP packet not SYN (tcp-not-syn) 762063
Bad TCP flags (bad-tcp-flags) 1
TCP data send after FIN (tcp-data-past-fin) 5
TCP failed 3 way handshake (tcp-3whs-failed) 28490
TCP RST/FIN out of order (tcp-rstfin-ooo) 757106
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 51694
TCP SYNACK on established conn (tcp-synack-ooo) 2903
TCP packet SEQ past window (tcp-seq-past-win) 5777
TCP invalid ACK (tcp-invalid-ack) 992
TCP replicated flow pak drop (tcp-fo-drop) 5
TCP Out-of-Order packet buffer full (tcp-buffer-full) 721510
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 19298
TCP RST/SYN in window (tcp-rst-syn-in-win) 3708
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 16885
TCP packet failed PAWS test (tcp-paws-fail) 8517
SSL first record invalid (ssl-first-record-invalid) 1
CTM returned error (ctm-error) 3
Slowpath security checks failed (sp-security-failed) 827261
IP option drop (invalid-ip-option) 12
Expired flow (flow-expired) 1
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 2
DNS Inspect id not matched (inspect-dns-id-not-matched) 6
FP L2 rule drop (l2_acl) 246849
Interface is down (interface-down) 1463
Dropped pending packets in a closed socket (np-socket-closed) 375
Dispatch queue tail drops (dispatch-queue-limit) 456
IKE new SA limit exceeded (ike-sa-rate-limit) 1565
Fragment reassembly failed (fragment-reassembly-failed) 36

Last clearing: Never

Flow drop:
Tunnel being brought up or torn down (tunnel-pending) 54
Need to start IKE negotiation (need-ike) 3214
SVC failover (svc-failover) 2
SVC replacement connection established (svc-replacement-conn) 9
VPN decryption missing (vpn-missing-decrypt) 2
Inspection failure (inspect-fail) 7636
SSL bad record detected (ssl-bad-record-detect) 987
SSL handshake failed (ssl-handshake-failed) 149
DTLS hello processed and closed (dtls-hello-close) 135

 

From what I can see there isn't a QOS rule affecting the upload speed. At this point, I am stumped and need some assistance. Any help is greatly appreciated. 

 

Thanks 

1 Accepted Solution

Accepted Solutions

After 2 days of troubleshooting with TAC, we finally figured out the issue. We narrowed down the problem by running speed tests on our other VLANs. All VLANs except for VLAN 1 were receiving our full 1GB UP/DOWN internet speeds. The engineer from Tac put in the command "no ip redirects" on Interface VLAN1 an we immediately started receiving 1 GB UP/DOWN speeds on that vlan. This command was entered on our cisco core switch and not the firewall. After extensive testing, it was determined that our firewall was not the culprit. We determined this by plugging directly into the firewall and running successful speed tests. 

 

I hope this helps someone else resolve their issue. 

 

Thanks

View solution in original post

2 Replies 2

Brad_Shawh
Level 1
Level 1

Can you shut down the sfr module and try? I have had some speed issues, not exactly as you define but similar ones due to SFR module.

After 2 days of troubleshooting with TAC, we finally figured out the issue. We narrowed down the problem by running speed tests on our other VLANs. All VLANs except for VLAN 1 were receiving our full 1GB UP/DOWN internet speeds. The engineer from Tac put in the command "no ip redirects" on Interface VLAN1 an we immediately started receiving 1 GB UP/DOWN speeds on that vlan. This command was entered on our cisco core switch and not the firewall. After extensive testing, it was determined that our firewall was not the culprit. We determined this by plugging directly into the firewall and running successful speed tests. 

 

I hope this helps someone else resolve their issue. 

 

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: