cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2419
Views
0
Helpful
11
Replies

throughput issue on ASA 5510

David Hunt
Level 1
Level 1

Hello group,

I am in the process of switching ISP's, well, not really switching but add a 2nd backup connection. My current connection is a 3 meg pipe and is configured on my ASA 5510 onterface ethernet0/0. My new services is a 50 meg pipe and I have it configured on ethernet0/3. For testing purposes right now, connected to E0/3 I have a simple Cisco 3500 XL switch.

During my testing... I change my default route over so all internet traffic is redirected to the new ISP.(e0/3)

when I go to speedtest.net to verify my connection speed to the internet, I show only a 1 meg connection to the internet, when I by pass the firewall completely, I get a 50 meg connection.

I have racked my brain inside and out, analyzing rules, and etc... and for the life of me cannot figure out what is slowing down the connection to the internet.

Does anyone have any thoughts?

David

1 Accepted Solution

Accepted Solutions

Hi Dave,

Always worth checking the basics first . I guess there could be a good many other aspects that could cause an impact.

By any chances are you using Windows 7 or 2008 Server as the client ?

View solution in original post

11 Replies 11

ju_mobile
Level 1
Level 1

5510 will easily surpass the 1Mbps speed your seeing. It would be difficult to consider without further details;

Speedtest.net has it's own variables that need to be considered. However:

Are you using the same cables?

Have you checked the duplex and speed settings?

Do you have any qos policies applied ?

What version of software is the 5510 running?

Are you running a VPN?

Regards

Julian

Hello....

WHile i agree speedtest is not perfect, I dont think this issue has anything to do with them.... 1 meg vs 50 meg...

anyways... I have checked the basics... of cables and port speeds and etc... nothing there....

yes, there is a qos policy applied as well as a url filtering server...

I have removed the url filtering server (websense) and tested... no difference...

when it gets to the qos policy... it gets a little beyond my comfort zone... but I did backup the asa... then I removed the qos filter.... tested... no difference...

restored asa to get qos policy back...

Cisco Adaptive Security Appliance Software Version 8.2(4)

Device Manager Version 6.3(5)

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 50       

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

Security Contexts              : 0        

GTP/GPRS                       : Disabled 

SSL VPN Peers                  : 2        

Total VPN Peers                : 250      

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

Cisco Adaptive Security Appliance Software Version 8.2(4)

Device Manager Version 6.3(5)

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

frustrated.... but great full...

David

Hi Dave,

Always worth checking the basics first . I guess there could be a good many other aspects that could cause an impact.

By any chances are you using Windows 7 or 2008 Server as the client ?

opps I accidentally clicked correct answer....

I am running windows 7... why?

I asked about QOS Earlier as we were testing a FTTC xDSL solution with 40Mbps down and 12Mbps up which after applying a very basic QOS configuration the service was POLICED at 12Mbps down and 4Mbps up. However, I have the joy of upgrading a FWSM tonight because it does not support TCP AUTO-TUNING. If your not aware Microsoft altered the default behaviour in Vista and later OS's to auto-negotiate the Window-Size. The auto-tuning RFC allows them to exceed the standard Window-Size.

As a test open a command prompt and use:

netsh interface set global autotuninglevel=disabled

This results in enforcing TCP to its original specification and not exceeding the 65535 byte Window-size.

To revert its the same command with =enabled.

Then try your tests again.

hi...

it did not like your command as written... i googled and found the following...

netsh int tcp set global autotuninglevel=disabled

tried that... no change

set back to normal

Hi Dave,

Can you post a sanitised copy of the policy off of your ASA ?

ASA Version 8.2(4)

!

hostname ASA

domain-name xxx.org

enable password wZJefsykk8VmlkFg encrypted

passwd wZJefsykk8VmlkFg encrypted

names

dns-guard

!

interface Ethernet0/0

speed 100

duplex full

nameif outsideICN

security-level 0

ip address 66.x.x.70 255.255.255.224

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.11.144.253 255.255.255.0

!

interface Ethernet0/2

speed 100

duplex full

nameif dmz

security-level 10

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/3

nameif OutsideComcast

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

!

time-range Always

!

boot system disk0:/disk0asa727-k8.bin

boot system disk0:/asa824-k8.bin

boot system disk0:/asa824-k8,bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name skokie.org

object-group service DM_INLINE_TCP_0 tcp

port-object eq www

port-object eq 2534

port-object eq 2533

port-object range 2701 2750

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_2

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_3

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_4

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_5

network-object host 66.x.x.77

network-object host 66.x.x.78

object-group network DM_INLINE_NETWORK_6

network-object host 66.x.x.77

network-object host 66.x.x.78

access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0

access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0

access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0

access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0

access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0

access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0

access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0

access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat extended permit ip any 10.11.0.0 255.255.0.0

access-list nonat extended permit ip any 172.16.10.0 255.255.255.0

access-list outside_acl remark rule needed to allow rectrac to to talk to webtrac

access-list outside_acl extended permit tcp any host 66.x.x..73 object-group DM_INLINE_TCP_0

access-list outside_acl extended permit icmp any any time-range Always

access-list outside_acl extended permit tcp any host 66.x.x..74 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x..70 eq 9000 time-range Always

access-list outside_acl extended permit tcp any host 66.x.x..74 eq https time-range Always

access-list outside_acl extended permit tcp any host 66.x.x..75 eq www time-range Always

access-list outside_acl remark temp rule created on 11/8/2011 to allow griffonsys.com to view security cameras at SSP

access-list outside_acl extended permit tcp host 75.x.x..60 host 66.x.x..76 eq www time-range Always inactive

access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.79 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.74 eq ftp time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.80 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.78 eq www time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.78 eq https time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.72 eq 3389 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389 time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.85 eq 3389 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_2 eq smtp time-range Always

access-list outside_acl extended permit tcp any host 66.x.x.78 eq 10101 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_3 eq pop3 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq 995 time-range Always

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq imap4

access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_6 eq 993

access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 eq 2533 time-range Always

access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 eq 2532 time-range Always

access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 range 2901 2951 time-range Always

access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.8 eq domain time-range Always

access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.7 range 2901 3000 time-range Always

access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 range 2701 2751 time-range Always

access-list dmz_acl extended permit udp host 10.1.1.3 host 10.11.144.3 eq domain time-range Always

access-list dmz_acl extended permit icmp any any

access-list dmz_acl extended permit ip any any

access-list dmz_acl remark for fintrac demo

access-list dmz_acl extended permit tcp host 10.1.1.3 host 10.11.144.7 eq 2534 time-range Always

access-list SPDVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list SPDVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list OutsideComcast_access_in remark Implicit rule

access-list OutsideComcast_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm warnings

mtu outsideICN 1500

mtu inside 1500

mtu dmz 1500

mtu OutsideComcast 1500

mtu management 1500

ip local pool SPDVPN_IP_POOL 172.16.10.1-172.16.10.10

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

asdm history enable

arp timeout 14400

global (outsideICN) 1 66.x.x..71 netmask 255.255.255.255

global (OutsideComcast) 1 10.1.10.3 netmask 255.255.255.255

nat (inside) 0 access-list nonat

nat (inside) 1 10.11.144.0 255.255.255.0

nat (inside) 1 10.11.145.0 255.255.255.0

nat (inside) 1 10.11.146.0 255.255.255.0

nat (inside) 1 10.11.147.0 255.255.255.0

nat (inside) 1 10.11.148.0 255.255.255.0

nat (inside) 1 10.11.149.0 255.255.255.0

nat (inside) 1 10.11.150.0 255.255.255.0

nat (inside) 1 10.11.151.0 255.255.255.0

static (inside,outsideICN) 66.x.x.72 10.11.144.8 netmask 255.255.255.255

static (inside,outsideICN) 66.x.x.78 10.11.144.12 netmask 255.255.255.255

static (inside,outsideICN) 66.x.x.77 10.11.144.2 netmask 255.255.255.255

static (inside,outsideICN) 66.x.x.85 10.11.144.25 netmask 255.255.255.255

static (inside,outsideICN) 66.x.x.73 10.11.144.7 netmask 255.255.255.255

access-group outside_acl in interface outsideICN

access-group inside_access_in in interface inside

access-group dmz_acl in interface dmz

access-group OutsideComcast_access_in in interface OutsideComcast

route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1

route OutsideComcast 0.0.0.0 0.0.0.0 10.1.10.1 2

route inside 10.11.145.0 255.255.255.0 10.11.144.254 1

route inside 10.11.146.0 255.255.255.0 10.11.144.254 1

route inside 10.11.147.0 255.255.255.0 10.11.144.254 1

route inside 10.11.148.0 255.255.255.0 10.11.144.254 1

route inside 10.11.149.0 255.255.255.0 10.11.144.254 1

route inside 10.11.150.0 255.255.255.0 10.11.144.254 1

route inside 10.11.151.0 255.255.255.0 10.11.144.254 1

route inside 192.168.100.0 255.255.255.0 10.11.144.254 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server DOMAIN protocol nt

aaa-server DOMAIN (inside) host 10.11.144.3

nt-auth-domain-controller skokiedc1

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 5

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication secure-http-client

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.11.144.0 255.255.255.0 inside

http 10.11.0.0 255.255.0.0 inside

http 0.0.0.0 255.255.255.255 outsideICN

snmp-server location Weber

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 20 esp-des esp-md5-hmac

crypto ipsec transform-set 30 esp-des esp-md5-hmac

crypto ipsec transform-set 50 esp-des esp-md5-hmac

crypto ipsec transform-set 60 esp-des esp-md5-hmac

crypto ipsec transform-set 70 esp-des esp-md5-hmac

crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT

crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map VPN 20 match address 120

crypto map VPN 20 set peer 206.x.x..122

crypto map VPN 20 set transform-set 20

crypto map VPN 30 set peer 206.x.x..154

crypto map VPN 30 set transform-set 30

crypto map VPN 50 set peer 206.x.x..146

crypto map VPN 50 set transform-set 50

crypto map VPN 60 set peer 206.x.x..150

crypto map VPN 60 set transform-set 60

crypto map VPN 70 set peer 206.x.x..126

crypto map VPN 70 set transform-set 70

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outsideICN

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn sslvpnspd.skokie.org

subject-name CN=sslvpnspd

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 50d23f4d

    308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105

    05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86

    4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17

    0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931

    12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01

    09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a

    864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f

    6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0

    a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a

    6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d

    33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86

    4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499

    d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466

    44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee

    d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a

    cfdbd3d7 421a40c6 b7472323 d8

  quit

crypto isakmp identity address

crypto isakmp enable outsideICN

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

telnet 10.11.0.0 255.255.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outsideICN

ssh 10.11.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

url-block url-mempool 4

url-block url-size 4

url-block block 1

webvpn

enable outsideICN

svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

wins-server value 10.11.144.3 10.11.144.8

dns-server value 10.11.144.3 10.11.144.8

vpn-tunnel-protocol IPSec

backup-servers clear-client-config

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

  customization value DfltCustomization

group-policy SPDVPN internal

group-policy SPDVPN attributes

wins-server value 10.11.144.3 10.11.144.8

dns-server value 10.11.144.3 10.11.144.8

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPDVPN_splitTunnelAcl

default-domain value skokie.org

username tpanocha password sE2H9HubIXI75SNz encrypted privilege 15

username tpanocha attributes

vpn-group-policy SPDVPN

username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15

tunnel-group SPDVPN type remote-access

tunnel-group SPDVPN general-attributes

authentication-server-group DOMAIN

default-group-policy SPDVPN

dhcp-server 10.11.144.3

tunnel-group SPDVPN webvpn-attributes

group-alias SPD enable

tunnel-group SPDVPN ipsec-attributes

pre-shared-key *****

tunnel-group 206.x.x..126 type ipsec-l2l

tunnel-group 206.x.x..126 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect http

  inspect skinny 

  inspect mgcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ae7221a5d6335ef1e352d81063d9ac90

: end

Hi Dave,

Apologies, my old addled eyes, and this may be something you have laready tried.. did you say there was QOS applied? I cant see any

What may help is to remove the other default route: (e.g: is the traffic still flowing over the slower link)

route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1

route OutsideComcast 0.0.0.0 0.0.0.0 10.1.10.1 2

Cheers

Julian

The reason the " route outsideICN 0.0.0.0 0.0.0.0 66.x.x.67 1" is active is becasue even at a 3 meg pipe it is still faster than the 50 meg comcast pipe.

if you notice, the metric on the second default is higher... when I test, I change these numbers around to force traffic out of the other pipe... i/e saves me time re writing the route command,,,

I have even tried... reconfiguring e0/0 with all of the new network settings... and plugging 50meg into e0/0... it changes nothing...

as for a policy... i thought the global default policy... was the QOS....

thanks...

Hi Dave,

Sorry missed that (weighted routing). The global default policy can apply QOS if configured but otherwise is an inspection map.

What the used to call fixups. The 8.2 code is known to be buggy but not sure if it's that buggy. Do you only get 1Mbps across your 3Mbps line as well through the ASA?    

Have you tried it without the Websense configuration? eg based on the allowed connections is the redirection of traffic impacting the test. I know a large number of these sites use numerous files to implement there tests.

I usually test by downloading an ISO from a University. They usually have loads of bandwidth and most proxy tools dont bother scanning .iso's based on their compression format.

Review Cisco Networking for a $25 gift card