Solved: ASA 5505 bandwidth problem

george.mattson1 · ‎07-15-2015

Hi all, first post in the community, hoping you can help.

We recently upgraded our 20/45 MOE circuit to a 50/100 circuit, but are not seeing any kind of bandwidth increase inside the network. Our vendor (First Digital) has tested the circuit and I can see that when a client is directly connected to the circuit itself, it can see approximately 90Mb up and down. From port #7 on the ASA 5505, however, I never can seen more than about 16-18Mb, which is exactly what we saw previous to the upgrade. This leads me to believe that there is some kind of configuration issue with the firewall itself, but I'm not overly strong with Cisco IOS and don't know what it might be. Would anyone be able to advise as to what the offending issue would be?

Config follows:

SLC-FW# show conf
: Saved
:
: Serial Number: JMX150340P0
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by pslocal at 22:42:08.889 UTC Fri Mar 27 2015
!
ASA Version 9.1(6)
!
hostname SLC-FW
domain-name plansource.local
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.50.0.0 A-10.50.0.0 description ViaWest Colo
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.4.250.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 205.204.36.195 255.255.255.224
!
boot system disk0:/asa916-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name plansource.local
object network obj-10.4.254.1
host 10.4.254.1
object network obj-10.110.254.1
host 10.110.254.1
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network A-10.50.0.0
subnet 10.50.0.0 255.255.0.0
object network obj-10.4.3.16
host 10.4.3.16
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_3
network-object host 10.4.2.19
network-object host 10.4.3.210
network-object host 10.4.3.25
network-object host 10.4.254.1
network-object host 10.4.2.20
network-object host 10.4.2.21
object-group network DM_INLINE_NETWORK_4
network-object host 10.110.2.20
network-object host 10.110.3.210
network-object host 10.110.3.37
network-object host 10.110.254.1
network-object host 10.110.2.62
network-object host 10.110.2.63
network-object host 10.110.2.64
network-object host 10.110.2.66
network-object host 10.110.2.67
network-object host 10.110.2.68
network-object host 10.110.2.69
object-group network DM_INLINE_NETWORK_1
network-object 10.40.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
network-object 10.110.0.0 255.255.0.0
network-object 10.140.0.0 255.255.0.0
network-object 10.8.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_5
network-object 10.4.0.0 255.255.0.0
network-object 10.40.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_6
network-object 10.110.0.0 255.255.0.0
network-object 10.140.0.0 255.255.0.0
network-object 10.8.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_7
network-object 10.110.0.0 255.255.0.0
network-object 10.8.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object 10.4.0.0 255.255.0.0
network-object 10.40.0.0 255.255.0.0
object-group service EQ-Repl tcp
description EQ Replication
port-object eq 3260
object-group network DM_INLINE_NETWORK_9
network-object host 64.132.243.34
network-object host 66.35.91.12
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound remark Replication nodes.
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list inside_nat0_outbound extended permit ip host 10.4.254.1 host 10.110.254.1
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.0.0 object A-10.50.0.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 any4
access-list inside_mpc extended permit tcp 10.110.2.0 255.255.255.0 10.4.2.0 255.255.255.0 object-group EQ-Repl inactive
access-list outside_2_cryptomap extended permit ip 10.4.0.0 255.255.0.0 object A-10.50.0.0
access-list outside_access_in extended permit icmp host 10.110.254.1 host 10.4.254.1
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list outside_access_in extended permit ip object A-10.50.0.0 10.4.0.0 255.255.0.0
access-list outside_access_in remark temp workaround for slow TW
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 host 10.4.3.16 inactive
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered notifications
logging trap informational
logging asdm informational
logging host inside 10.110.3.41
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.4.254.1 obj-10.4.254.1 destination static obj-10.110.254.1 obj-10.110.254.1 no-proxy-arp route-lookup
nat (inside,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.4.0.0 obj-10.4.0.0 destination static A-10.50.0.0 A-10.50.0.0 no-proxy-arp route-lookup
!
object network obj-10.4.3.16
nat (inside,outside) static 205.204.36.196
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.204.36.193 1
route inside 10.4.0.0 255.255.0.0 10.4.250.1 1
route inside 10.40.0.0 255.255.0.0 10.4.250.1 1
route outside A-10.50.0.0 255.255.0.0 205.204.36.193 1
route inside 10.110.3.22 255.255.255.255 10.4.250.1 1
route inside 10.110.3.41 255.255.255.255 10.4.250.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 66.35.91.12 255.255.255.255 outside
http 207.30.28.0 255.255.255.0 outside
http 99.168.123.146 255.255.255.255 outside
http 184.89.24.213 255.255.255.255 outside
http 68.202.250.13 255.255.255.255 outside
snmp-server host inside 10.110.3.22 poll community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 66.35.91.12
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 66.97.139.68
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 207.30.28.0 255.255.255.0 outside
ssh 66.35.91.12 255.255.255.255 outside
ssh 99.168.123.146 255.255.255.255 outside
ssh 184.88.165.210 255.255.255.255 outside
ssh 71.43.42.162 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
priority-queue outside
threat-detection rate scanning-threat rate-interval 600 average-rate 2147483647 burst-rate 2147483647
threat-detection rate scanning-threat rate-interval 3600 average-rate 2147483647 burst-rate 2147483647
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username presidio password 9kcd3VtfMMlCRZYn encrypted privilege 15
username pslocal password yFKZ/NtK45sbqenZ encrypted privilege 15
username dgilbert2 password MIdx9N0fqqtgcv6y encrypted privilege 15
username dperry password ttwYt0i/wyaChIa7 encrypted privilege 15
username ciscobackup password /9VCOsDsFdU.lw0t encrypted privilege 15
tunnel-group 66.35.91.12 type ipsec-l2l
tunnel-group 66.35.91.12 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 66.97.139.68 type ipsec-l2l
tunnel-group 66.97.139.68 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
!
class-map global-class
match default-inspection-traffic
class-map EQ-Repl
match access-list inside_mpc
!
!
policy-map LIMIT-TO-25M
class EQ-Repl
police input 101000000 60000
police output 101000000 60000
class class-default
shape average 18000000
policy-map global-policy
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect waas
inspect xdmcp
!
service-policy global-policy global
service-policy LIMIT-TO-25M interface inside
service-policy LIMIT-TO-25M interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d495ef0e1823ae2001dec8e4a161c862
SLC-FW#

MitchellAxtell · ‎07-16-2015

I disagree with this- Cisco lists the stateful firewall throughput at 150Mbps. Granted, the unit has 10/100 ports, so in reality it is limited by these. In operation, you can pull 90Mbps or 10K sessions on the base license, and I have done these numbers before (not just paper specs). Even the later PIX firewalls could handle more than 20Mbps.

View solution in original post

MitchellAxtell · ‎07-16-2015

You appear to have a service policy on your inside and outside interfaces that is limiting you- see the line "policy-map LIMIT-TO-25M", under the "class-default" section. It is applied to the interfaces under "service-policy LIMIT-TO-25M interface inside" and "service-policy LIMIT-TO-25M interface outside". Having a service policy isn't a bad idea, just needs to be edited when the bandwidth is changed. I'd recommend making a new one so that the policy naming isn't wrong (such as "policy-map LIMIT-TO-90M") with a "class class-default" of "shape average 94000000". 90M seems like an odd number to use, but the 100M ports of the 5505 won't really allow you to go higher.

Of course, you can simply remove the policy altogether if you wish.

View solution in original post

Tagir Temirgaliyev · ‎07-16-2015

asa 5505 itself has limit about 20 mb

MitchellAxtell · ‎07-16-2015

I disagree with this- Cisco lists the stateful firewall throughput at 150Mbps. Granted, the unit has 10/100 ports, so in reality it is limited by these. In operation, you can pull 90Mbps or 10K sessions on the base license, and I have done these numbers before (not just paper specs). Even the later PIX firewalls could handle more than 20Mbps.

george.mattson1 · ‎07-17-2015

Much appreciated, sir - this turned out to be the exact fix.

MitchellAxtell · ‎07-16-2015

You appear to have a service policy on your inside and outside interfaces that is limiting you- see the line "policy-map LIMIT-TO-25M", under the "class-default" section. It is applied to the interfaces under "service-policy LIMIT-TO-25M interface inside" and "service-policy LIMIT-TO-25M interface outside". Having a service policy isn't a bad idea, just needs to be edited when the bandwidth is changed. I'd recommend making a new one so that the policy naming isn't wrong (such as "policy-map LIMIT-TO-90M") with a "class class-default" of "shape average 94000000". 90M seems like an odd number to use, but the 100M ports of the 5505 won't really allow you to go higher.

Of course, you can simply remove the policy altogether if you wish.