Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
11
Replies

Slowness in RDP with NAT - ASA 5525X 9.3

Go to solution
Fernand DOUBI
Level 1
Level 1

‎01-13-2016 03:10 PM - edited ‎03-12-2019 12:08 AM

Hello All,

I did a swap of ASA 5520 to 5525-X. Nats are working fine but users cannot display the interface when using RDP.

The sessions are very slow compared to the old ASA.

When I did a rollback to ASA 5520, the RDP sessions are working correcty.

Ping to NATs IP addresses with a size of 1500 bytes are failing with packet loss but servers physically located in DMZ are responding correctly to the ping.

You can see attached the pcap files when troubleshoot.

Thanks for help.

Internet-----VPN3000---(NAT IP DMZ server)----ASA9.3-------Inside (Real DMZ Server)

Labels:
asa-cap2.zip
asa-cap.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎01-16-2016 02:21 PM

If a 5520 can do the job fine, then a 5525 can do it.  A 5525 is much much faster.

Is the new 5525 plugging into the same ports, cables and connections as the old 5520?

View solution in original post

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎01-17-2016 10:58 AM

I think it would be an excellent idea to use the same cables and ports so it is more of a "like for like" test.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-13-2016 06:57 PM

You have an MTU issue.  Try "sysopt connection tcpmss 1000" as a quick test.  If that works try it at 1300 and if that works just leave it.

0 Helpful

Go to solution
Fernand DOUBI
Level 1
Level 1
In response to Philip D'Ath

‎01-14-2016 06:38 AM

Hello Philip,

Thanks for replying.

Please find below my existing parameters. Should I increase or decrease the tcp mss.

Thanks,

ASA# sh running-config all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp outside

no sysopt noproxyarp inside

no sysopt noproxyarp dmz1

no sysopt noproxyarp dmz2

no sysopt noproxyarp dmz3

no sysopt noproxyarp dmz4

no sysopt noproxyarp dmz5

class-map global_policy
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp error
  inspect mgcp
  inspect pptp
  inspect ctiqbe
  inspect snmp
  inspect icmp
  inspect ils
  inspect http
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎01-14-2016 12:48 PM

Just for an experiment try use the below setting and see if it makes any difference:

sysopt connection tcpmss 1380
0 Helpful

Go to solution
Fernand DOUBI
Level 1
Level 1
In response to Philip D'Ath

‎01-16-2016 05:44 AM

Hello Philip,

I migrated the new ASA with tcpmss (1380) but the RDP sessions were slow.

The existing ASA (5520) which is in production has also the same size of tcpmss but RDP sessions are fine.

I'm wondering whether I should increase the size in the new deployment of 5525x.

Thanks,

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎01-16-2016 02:21 PM

If a 5520 can do the job fine, then a 5525 can do it.  A 5525 is much much faster.

Is the new 5525 plugging into the same ports, cables and connections as the old 5520?

0 Helpful

Go to solution
Fernand DOUBI
Level 1
Level 1
In response to Philip D'Ath

‎01-17-2016 01:45 AM

Hello Philip,

The plugging are not same. In the next deployment, I will try to connect other cables.

I made a mistake when replying and I hit the correct answer button. I don't know how to undo it.

Thanks.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎01-17-2016 10:58 AM

I think it would be an excellent idea to use the same cables and ports so it is more of a "like for like" test.

0 Helpful

Go to solution
Fernand DOUBI
Level 1
Level 1
In response to Philip D'Ath

‎01-23-2016 09:23 AM

Hello Philip,

I'll follow your advice and I'll keep you informed after migration.

Thanks,

0 Helpful

Go to solution
Fernand DOUBI
Level 1
Level 1
In response to Philip D'Ath

‎02-04-2016 03:01 AM

Hello Philip,

I used the same cables and the rdp sessions are now fine.

Thanks for help,

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Fernand DOUBI

‎02-04-2016 10:10 AM

Yay.  I'm glad you now have it in production.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-13-2016 06:58 PM

Also try making sure "icmp error" inspection is enabled.

policy-map global_policy
 class inspection_default
   inspect icmp 
   inspect icmp error 

service-policy global_policy global
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card