Thanks for the reply,

attached sh tech of ASA

Are you having that streaming issue only with YouTube or also with other streaming sites?

any other streaming site , can you give any suggestion

www.cnn.com, www.metacafe.com

for all streaming website the , the stream is slow

have internet speed 11mb

Please try to hardcode the speed/duplex on ASA and router ports and try again.

Regards,

Aref

my router config is as below

interface FastEthernet0/2/3

!

interface Vlan1

description "Connection to FW"

bandwidth 2048

ip address xx.xx.xx.xx 255.255.255.240

ip accounting output-packets

ip mtu 1400

ip route-cache flow

ip tcp adjust-mss 1360

load-interval 30

!

my ASA config is as below

interface Ethernet0/0

description "Connection to ISP"

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.240

!

RTCC-ASA1# sh int eth0/0

Interface Ethernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Description: "Connection to ISP"

MAC address 0023.04ed.d764, MTU 1500

IP address xx.xx.xx.xx, subnet mask 255.255.255.240

13129548 packets input, 12691294404 bytes, 0 no buffer

Received 489 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

11521960 packets output, 4465776906 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (5/29)

output queue (curr/max packets): hardware (0/33)

Traffic Statistics for "outside":

13129066 packets input, 12444272189 bytes

11521960 packets output, 4221962214 bytes

691249 packets dropped

1 minute input rate 472 pkts/sec, 335583 bytes/sec

1 minute output rate 449 pkts/sec, 223280 bytes/sec

1 minute drop rate, 10 pkts/sec

5 minute input rate 695 pkts/sec, 726103 bytes/sec

5 minute output rate 527 pkts/sec, 81686 bytes/sec

5 minute drop rate, 27 pkts/sec

Hi,

I see that you have IPS in inline mode:

access-list traffic_for_IPS extended permit ip any any
class-map IPS_class_map
 match access-list traffic_for_IPS
policy-map global_policy
 class IPS_class_map
  ips inline fail-open  <---

Have you tried removing IPS redirection for testing purposes? It is possible that IPS is causing this slowness.

To remove IPS:

conf t

policy-map global_policy
 class IPS_class_map

no ips inline fail-open

After testing, just add the last line back.

Please share IPS version being used.

Not directly related to the issue, but the ASA version is really old (7.0). Might be a good idea to consider upgrade.

Regards,

Srinath

Dear srinath,

tried removing IPS

slow but better than the first state

Before when we use YouTube downloader also it stops in the middle

after removing IPS, its downloading without stop.

RTCC-ASA1# sh module 1 details

Getting details from the Service Module, please wait...

ASA 5500 Series Security Services Module-10

Model:              ASA-SSM-10

Hardware version:   1.0

Serial Number:      JAF1241AKJJ

Firmware version:   1.0(11)4

Software version:   6.0(5)E2

MAC Address Range:  0023.044b.5e0b to 0023.044b.5e0b

Data plane Status:  Up

Status:             Up

Mgmt IP addr:       10.55.0.100

Mgmt web ports:     443

Mgmt TLS enabled:   true

RTCC-ASA1#

A workaround is to exclude HTTP/HTTPS traffic from IPS scanning. You can do this by adding the below lines:

access-list traffic_for_IPS line 1 extended deny tcp any any eq www
access-list traffic_for_IPS line 2 extended deny tcp any any eq https

These would however be only workarounds and not a complete resolution.

One of the things to improve performance through IPS is 'regex depth' (Amount of bytes IPS scans an attack for, in a session.) Unfortunately manual changing of this via CLI was only introduced with IPS version 7.1(8)

Any chance you could open a TAC case for this issue?

Regards,

Srinath

sorry, not able to open TAC as no support available

The ACL causes all HTTP/HTTPS traffic to bypass IPS scanning. As i stated, it is just a workaround which excludes web traffic from scanning and hence improves performance.

Regarding security, there would be no IPS scanning/blocking for web traffic. This compromises IPS level security for the web traffic, but the ASA would still do layer 4 TCP checks on this traffic. I see in the config that you also have 2 web servers on your inside interface. Disabling IPS for these servers is not recommended. Here is how we can ensure we have IPS for your internal servers but not for internet bound web traffic. Just add the below lines to the existing config:

access-list traffic_for_IPS line 1 extended permit ip any host 172.17.2.6
access-list traffic_for_IPS line 2 extended permit ip any host 172.17.2.32

The above ACLs redirect traffic destined to your internal servers to IPS but rest all HTTP/HTTPS traffic is not. All other non web traffic would still be redirected to the IPS because of 'ip any any' at the end. Note that the ordering of the lines is important.

Please apply the above and share results. Please also share the output of 'show access-list traffic_for_IPS' in case of any issues.

Regards,

Srinath

Thanks sri,

U mean replacing or adding to the following

access-list traffic_for_IPS line 1 extended deny tcp any any eq www
access-list traffic_for_IPS line 2 extended deny tcp any any eq https

with

access-list traffic_for_IPS line 1 extended permit ip any host 172.17.2.6
access-list traffic_for_IPS line 2 extended permit ip any host 172.17.2.32