12-02-2011 09:40 AM - edited 03-11-2019 02:58 PM
Hello group,
I am in the process of switching ISP's, well, not really switching but add a 2nd backup connection. My current connection is a 3 meg pipe and is configured on my ASA 5510 onterface ethernet0/0. My new services is a 50 meg pipe and I have it configured on ethernet0/3. For testing purposes right now, connected to E0/3 I have a simple Cisco 3500 XL switch.
During my testing... I change my default route over so all internet traffic is redirected to the new ISP.(e0/3)
when I go to speedtest.net to verify my connection speed to the internet, I show only a 1 meg connection to the internet, when I by pass the firewall completely, I get a 50 meg connection.
I have racked my brain inside and out, analyzing rules, and etc... and for the life of me cannot figure out what is slowing down the connection to the internet.
Does anyone have any thoughts?
David
Solved! Go to Solution.
12-02-2011 12:08 PM
Hi Dave,
Always worth checking the basics first . I guess there could be a good many other aspects that could cause an impact.
By any chances are you using Windows 7 or 2008 Server as the client ?
12-02-2011 10:30 AM
5510 will easily surpass the 1Mbps speed your seeing. It would be difficult to consider without further details;
Speedtest.net has it's own variables that need to be considered. However:
Are you using the same cables?
Have you checked the duplex and speed settings?
Do you have any qos policies applied ?
What version of software is the 5510 running?
Are you running a VPN?
Regards
Julian
12-02-2011 11:57 AM
Hello....
WHile i agree speedtest is not perfect, I dont think this issue has anything to do with them.... 1 meg vs 50 meg...
anyways... I have checked the basics... of cables and port speeds and etc... nothing there....
yes, there is a qos policy applied as well as a url filtering server...
I have removed the url filtering server (websense) and tested... no difference...
when it gets to the qos policy... it gets a little beyond my comfort zone... but I did backup the asa... then I removed the qos filter.... tested... no difference...
restored asa to get qos policy back...
Cisco Adaptive Security Appliance Software Version 8.2(4)
Device Manager Version 6.3(5)
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Cisco Adaptive Security Appliance Software Version 8.2(4)
Device Manager Version 6.3(5)
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
frustrated.... but great full...
David
12-02-2011 12:08 PM
Hi Dave,
Always worth checking the basics first . I guess there could be a good many other aspects that could cause an impact.
By any chances are you using Windows 7 or 2008 Server as the client ?
12-02-2011 12:24 PM
opps I accidentally clicked correct answer....
I am running windows 7... why?
12-02-2011 12:32 PM
I asked about QOS Earlier as we were testing a FTTC xDSL solution with 40Mbps down and 12Mbps up which after applying a very basic QOS configuration the service was POLICED at 12Mbps down and 4Mbps up. However, I have the joy of upgrading a FWSM tonight because it does not support TCP AUTO-TUNING. If your not aware Microsoft altered the default behaviour in Vista and later OS's to auto-negotiate the Window-Size. The auto-tuning RFC allows them to exceed the standard Window-Size.
As a test open a command prompt and use:
netsh interface set global autotuninglevel=disabled
This results in enforcing TCP to its original specification and not exceeding the 65535 byte Window-size.
To revert its the same command with =enabled.
Then try your tests again.
12-02-2011 12:59 PM
hi...
it did not like your command as written... i googled and found the following...
netsh int tcp set global autotuninglevel=disabled
tried that... no change
set back to normal
12-02-2011 01:15 PM
Hi Dave,
Can you post a sanitised copy of the policy off of your ASA ?
12-02-2011 01:48 PM
ASA Version 8.2(4)
!
hostname ASA
domain-name xxx.org
enable password wZJefsykk8VmlkFg encrypted
passwd wZJefsykk8VmlkFg encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outsideICN
security-level 0
ip address 66.x.x.70 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.11.144.253 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 10
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
nameif OutsideComcast
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range Always
!
boot system disk0:/disk0asa727-k8.bin
boot system disk0:/asa824-k8.bin
boot system disk0:/asa824-k8,bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name skokie.org
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq 2534
port-object eq 2533
port-object range 2701 2750
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_2
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_3
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_4
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_5
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_6
network-object host 66.x.x.77
network-object host 66.x.x.78
access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0
access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0
access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0
access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0
access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0
access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0
access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.11.0.0 255.255.0.0
access-list nonat extended permit ip any 172.16.10.0 255.255.255.0
access-list outside_acl remark rule needed to allow rectrac to to talk to webtrac
access-list outside_acl extended permit tcp any host 66.x.x..73 object-group DM_INLINE_TCP_0
access-list outside_acl extended permit icmp any any time-range Always
access-list outside_acl extended permit tcp any host 66.x.x..74 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x..70 eq 9000 time-range Always
access-list outside_acl extended permit tcp any host 66.x.x..74 eq https time-range Always
access-list outside_acl extended permit tcp any host 66.x.x..75 eq www time-range Always
access-list outside_acl remark temp rule created on 11/8/2011 to allow griffonsys.com to view security cameras at SSP
access-list outside_acl extended permit tcp host 75.x.x..60 host 66.x.x..76 eq www time-range Always inactive
access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.79 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.74 eq ftp time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.80 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 eq https time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.72 eq 3389 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389 time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.85 eq 3389 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_2 eq smtp time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 eq 10101 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_3 eq pop3 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq 995 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq imap4
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_6 eq 993
access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 eq 2533 time-range Always
access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 eq 2532 time-range Always
access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 range 2901 2951 time-range Always
access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.8 eq domain time-range Always
access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 range 2901 3000 time-range Always
access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 range 2701 2751 time-range Always
access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.3 eq domain time-range Always
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit ip any any
access-list dmz_acl remark for fintrac demo
access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 eq 2534 time-range Always
access-list SPDVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list SPDVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list OutsideComcast_access_in remark Implicit rule
access-list OutsideComcast_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu outsideICN 1500
mtu inside 1500
mtu dmz 1500
mtu OutsideComcast 1500
mtu management 1500
ip local pool SPDVPN_IP_POOL 172.16.10.1-172.16.10.10
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
global (outsideICN) 1 66.x.x..71 netmask 255.255.255.255
global (OutsideComcast) 1 10.1.10.3 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.144.0 255.255.255.0
nat (inside) 1 10.11.145.0 255.255.255.0
nat (inside) 1 10.11.146.0 255.255.255.0
nat (inside) 1 10.11.147.0 255.255.255.0
nat (inside) 1 10.11.148.0 255.255.255.0
nat (inside) 1 10.11.149.0 255.255.255.0
nat (inside) 1 10.11.150.0 255.255.255.0
nat (inside) 1 10.11.151.0 255.255.255.0
static (inside,outsideICN) 66.x.x.72 10.11.144.8 netmask 255.255.255.255
static (inside,outsideICN) 66.x.x.78 10.11.144.12 netmask 255.255.255.255
static (inside,outsideICN) 66.x.x.77 10.11.144.2 netmask 255.255.255.255
static (inside,outsideICN) 66.x.x.85 10.11.144.25 netmask 255.255.255.255
static (inside,outsideICN) 66.x.x.73 10.11.144.7 netmask 255.255.255.255
access-group outside_acl in interface outsideICN
access-group inside_access_in in interface inside
access-group dmz_acl in interface dmz
access-group OutsideComcast_access_in in interface OutsideComcast
route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1
route OutsideComcast 0.0.0.0 0.0.0.0 10.1.10.1 2
route inside 10.11.145.0 255.255.255.0 10.11.144.254 1
route inside 10.11.146.0 255.255.255.0 10.11.144.254 1
route inside 10.11.147.0 255.255.255.0 10.11.144.254 1
route inside 10.11.148.0 255.255.255.0 10.11.144.254 1
route inside 10.11.149.0 255.255.255.0 10.11.144.254 1
route inside 10.11.150.0 255.255.255.0 10.11.144.254 1
route inside 10.11.151.0 255.255.255.0 10.11.144.254 1
route inside 192.168.100.0 255.255.255.0 10.11.144.254 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server DOMAIN protocol nt
aaa-server DOMAIN (inside) host 10.11.144.3
nt-auth-domain-controller skokiedc1
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 5
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.144.0 255.255.255.0 inside
http 10.11.0.0 255.255.0.0 inside
http 0.0.0.0 255.255.255.255 outsideICN
snmp-server location Weber
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 20 esp-des esp-md5-hmac
crypto ipsec transform-set 30 esp-des esp-md5-hmac
crypto ipsec transform-set 50 esp-des esp-md5-hmac
crypto ipsec transform-set 60 esp-des esp-md5-hmac
crypto ipsec transform-set 70 esp-des esp-md5-hmac
crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT
crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPN 20 match address 120
crypto map VPN 20 set peer 206.x.x..122
crypto map VPN 20 set transform-set 20
crypto map VPN 30 set peer 206.x.x..154
crypto map VPN 30 set transform-set 30
crypto map VPN 50 set peer 206.x.x..146
crypto map VPN 50 set transform-set 50
crypto map VPN 60 set peer 206.x.x..150
crypto map VPN 60 set transform-set 60
crypto map VPN 70 set peer 206.x.x..126
crypto map VPN 70 set transform-set 70
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outsideICN
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpnspd.skokie.org
subject-name CN=sslvpnspd
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 50d23f4d
308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105
05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86
4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17
0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931
12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01
09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a
864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f
6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0
a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a
6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d
33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86
4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499
d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466
44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee
d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a
cfdbd3d7 421a40c6 b7472323 d8
quit
crypto isakmp identity address
crypto isakmp enable outsideICN
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 10.11.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outsideICN
ssh 10.11.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 4
url-block url-size 4
url-block block 1
webvpn
enable outsideICN
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec
backup-servers clear-client-config
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy SPDVPN internal
group-policy SPDVPN attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPDVPN_splitTunnelAcl
default-domain value skokie.org
username tpanocha password sE2H9HubIXI75SNz encrypted privilege 15
username tpanocha attributes
vpn-group-policy SPDVPN
username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15
tunnel-group SPDVPN type remote-access
tunnel-group SPDVPN general-attributes
authentication-server-group DOMAIN
default-group-policy SPDVPN
dhcp-server 10.11.144.3
tunnel-group SPDVPN webvpn-attributes
group-alias SPD enable
tunnel-group SPDVPN ipsec-attributes
pre-shared-key *****
tunnel-group 206.x.x..126 type ipsec-l2l
tunnel-group 206.x.x..126 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect skinny
inspect mgcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ae7221a5d6335ef1e352d81063d9ac90
: end
12-02-2011 01:55 PM
Hi Dave,
Apologies, my old addled eyes, and this may be something you have laready tried.. did you say there was QOS applied? I cant see any
What may help is to remove the other default route: (e.g: is the traffic still flowing over the slower link)
route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1
route OutsideComcast 0.0.0.0 0.0.0.0 10.1.10.1 2
Cheers
Julian
12-02-2011 02:02 PM
The reason the " route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1" is active is becasue even at a 3 meg pipe it is still faster than the 50 meg comcast pipe.
if you notice, the metric on the second default is higher... when I test, I change these numbers around to force traffic out of the other pipe... i/e saves me time re writing the route command,,,
I have even tried... reconfiguring e0/0 with all of the new network settings... and plugging 50meg into e0/0... it changes nothing...
as for a policy... i thought the global default policy... was the QOS....
thanks...
12-02-2011 02:20 PM
Hi Dave,
Sorry missed that (weighted routing). The global default policy can apply QOS if configured but otherwise is an inspection map.
What the used to call fixups. The 8.2 code is known to be buggy but not sure if it's that buggy. Do you only get 1Mbps across your 3Mbps line as well through the ASA?
Have you tried it without the Websense configuration? eg based on the allowed connections is the redirection of traffic impacting the test. I know a large number of these sites use numerous files to implement there tests.
I usually test by downloading an ISO from a University. They usually have loads of bandwidth and most proxy tools dont bother scanning .iso's based on their compression format.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide