cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2070
Views
0
Helpful
4
Replies

ASA 5505 bandwidth problem

george.mattson1
Level 1
Level 1

Hi all, first post in the community, hoping you can help.


We recently upgraded our 20/45 MOE circuit to a 50/100 circuit, but are not seeing any kind of bandwidth increase inside the network.  Our vendor (First Digital) has tested the circuit and I can see that when a client is directly connected to the circuit itself, it can see approximately 90Mb up and down.  From port #7 on the ASA 5505, however, I never can seen more than about 16-18Mb, which is exactly what we saw previous to the upgrade.  This leads me to believe that there is some kind of configuration issue with the firewall itself, but I'm not overly strong with Cisco IOS and don't know what it might be.  Would anyone be able to advise as to what the offending issue would be?

 

Config follows:


 

SLC-FW# show conf
: Saved
:
: Serial Number: JMX150340P0
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by pslocal at 22:42:08.889 UTC Fri Mar 27 2015
!
ASA Version 9.1(6)
!
hostname SLC-FW
domain-name plansource.local
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.50.0.0 A-10.50.0.0 description ViaWest Colo
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.4.250.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 205.204.36.195 255.255.255.224
!
boot system disk0:/asa916-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name plansource.local
object network obj-10.4.254.1
 host 10.4.254.1
object network obj-10.110.254.1
 host 10.110.254.1
object network obj-10.4.0.0
 subnet 10.4.0.0 255.255.0.0
object network A-10.50.0.0
 subnet 10.50.0.0 255.255.0.0
object network obj-10.4.3.16
 host 10.4.3.16
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_3
 network-object host 10.4.2.19
 network-object host 10.4.3.210
 network-object host 10.4.3.25
 network-object host 10.4.254.1
 network-object host 10.4.2.20
 network-object host 10.4.2.21
object-group network DM_INLINE_NETWORK_4
 network-object host 10.110.2.20
 network-object host 10.110.3.210
 network-object host 10.110.3.37
 network-object host 10.110.254.1
 network-object host 10.110.2.62
 network-object host 10.110.2.63
 network-object host 10.110.2.64
 network-object host 10.110.2.66
 network-object host 10.110.2.67
 network-object host 10.110.2.68
 network-object host 10.110.2.69
object-group network DM_INLINE_NETWORK_1
 network-object 10.40.0.0 255.255.0.0
 network-object 10.4.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.110.0.0 255.255.0.0
 network-object 10.140.0.0 255.255.0.0
 network-object 10.8.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_5
 network-object 10.4.0.0 255.255.0.0
 network-object 10.40.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_6
 network-object 10.110.0.0 255.255.0.0
 network-object 10.140.0.0 255.255.0.0
 network-object 10.8.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_7
 network-object 10.110.0.0 255.255.0.0
 network-object 10.8.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
 network-object 10.4.0.0 255.255.0.0
 network-object 10.40.0.0 255.255.0.0
object-group service EQ-Repl tcp
 description EQ Replication
 port-object eq 3260
object-group network DM_INLINE_NETWORK_9
 network-object host 64.132.243.34
 network-object host 66.35.91.12
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound remark Replication nodes.
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list inside_nat0_outbound extended permit ip host 10.4.254.1 host 10.110.254.1
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.0.0 object A-10.50.0.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 any4
access-list inside_mpc extended permit tcp 10.110.2.0 255.255.255.0 10.4.2.0 255.255.255.0 object-group EQ-Repl inactive
access-list outside_2_cryptomap extended permit ip 10.4.0.0 255.255.0.0 object A-10.50.0.0
access-list outside_access_in extended permit icmp host 10.110.254.1 host 10.4.254.1
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list outside_access_in extended permit ip object A-10.50.0.0 10.4.0.0 255.255.0.0
access-list outside_access_in remark temp workaround for slow TW
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 host 10.4.3.16 inactive
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap informational
logging asdm informational
logging host inside 10.110.3.41
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.4.254.1 obj-10.4.254.1 destination static obj-10.110.254.1 obj-10.110.254.1 no-proxy-arp route-lookup
nat (inside,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.4.0.0 obj-10.4.0.0 destination static A-10.50.0.0 A-10.50.0.0 no-proxy-arp route-lookup
!
object network obj-10.4.3.16
 nat (inside,outside) static 205.204.36.196
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.204.36.193 1
route inside 10.4.0.0 255.255.0.0 10.4.250.1 1
route inside 10.40.0.0 255.255.0.0 10.4.250.1 1
route outside A-10.50.0.0 255.255.0.0 205.204.36.193 1
route inside 10.110.3.22 255.255.255.255 10.4.250.1 1
route inside 10.110.3.41 255.255.255.255 10.4.250.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 66.35.91.12 255.255.255.255 outside
http 207.30.28.0 255.255.255.0 outside
http 99.168.123.146 255.255.255.255 outside
http 184.89.24.213 255.255.255.255 outside
http 68.202.250.13 255.255.255.255 outside
snmp-server host inside 10.110.3.22 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 66.35.91.12
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 66.97.139.68
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 207.30.28.0 255.255.255.0 outside
ssh 66.35.91.12 255.255.255.255 outside
ssh 99.168.123.146 255.255.255.255 outside
ssh 184.88.165.210 255.255.255.255 outside
ssh 71.43.42.162 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
priority-queue outside
threat-detection rate scanning-threat rate-interval 600 average-rate 2147483647 burst-rate 2147483647
threat-detection rate scanning-threat rate-interval 3600 average-rate 2147483647 burst-rate 2147483647
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
username presidio password 9kcd3VtfMMlCRZYn encrypted privilege 15
username pslocal password yFKZ/NtK45sbqenZ encrypted privilege 15
username dgilbert2 password MIdx9N0fqqtgcv6y encrypted privilege 15
username dperry password ttwYt0i/wyaChIa7 encrypted privilege 15
username ciscobackup password /9VCOsDsFdU.lw0t encrypted privilege 15
tunnel-group 66.35.91.12 type ipsec-l2l
tunnel-group 66.35.91.12 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 66.97.139.68 type ipsec-l2l
tunnel-group 66.97.139.68 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
!
class-map global-class
 match default-inspection-traffic
class-map EQ-Repl
 match access-list inside_mpc
!
!
policy-map LIMIT-TO-25M
 class EQ-Repl
  police input 101000000 60000
  police output 101000000 60000
 class class-default
  shape average 18000000
policy-map global-policy
 class global-class
  inspect ctiqbe
  inspect dcerpc
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect icmp
  inspect icmp error
  inspect ils
  inspect ipsec-pass-thru
  inspect mgcp
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect waas
  inspect xdmcp
!
service-policy global-policy global
service-policy LIMIT-TO-25M interface inside
service-policy LIMIT-TO-25M interface outside
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d495ef0e1823ae2001dec8e4a161c862
SLC-FW#

2 Accepted Solutions

Accepted Solutions

I disagree with this- Cisco lists the stateful firewall throughput at 150Mbps.  Granted, the unit has 10/100 ports, so in reality it is limited by these.  In operation, you can pull 90Mbps or 10K sessions on the base license, and I have done these numbers before (not just paper specs).  Even the later PIX firewalls could handle more than 20Mbps.

View solution in original post

MitchellAxtell
Level 1
Level 1

You appear to have a service policy on your inside and outside interfaces that is limiting you- see the line "policy-map LIMIT-TO-25M", under the "class-default" section.  It is applied to the interfaces under "service-policy LIMIT-TO-25M interface inside" and "service-policy LIMIT-TO-25M interface outside".  Having a service policy isn't a bad idea, just needs to be edited when the bandwidth is changed.  I'd recommend making a new one so that the policy naming isn't wrong (such as "policy-map LIMIT-TO-90M") with a "class class-default" of "shape average 94000000".  90M seems like an odd number to use, but the 100M ports of the 5505 won't really allow you to go higher.

 

Of course, you can simply remove the policy altogether if you wish.

View solution in original post

4 Replies 4

Tagir Temirgaliyev
Spotlight
Spotlight

asa 5505 itself has limit about 20 mb

I disagree with this- Cisco lists the stateful firewall throughput at 150Mbps.  Granted, the unit has 10/100 ports, so in reality it is limited by these.  In operation, you can pull 90Mbps or 10K sessions on the base license, and I have done these numbers before (not just paper specs).  Even the later PIX firewalls could handle more than 20Mbps.

Much appreciated, sir - this turned out to be the exact fix.

MitchellAxtell
Level 1
Level 1

You appear to have a service policy on your inside and outside interfaces that is limiting you- see the line "policy-map LIMIT-TO-25M", under the "class-default" section.  It is applied to the interfaces under "service-policy LIMIT-TO-25M interface inside" and "service-policy LIMIT-TO-25M interface outside".  Having a service policy isn't a bad idea, just needs to be edited when the bandwidth is changed.  I'd recommend making a new one so that the policy naming isn't wrong (such as "policy-map LIMIT-TO-90M") with a "class class-default" of "shape average 94000000".  90M seems like an odd number to use, but the 100M ports of the 5505 won't really allow you to go higher.

 

Of course, you can simply remove the policy altogether if you wish.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: