Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
9
Helpful
4
Replies

Cisco asa 5505 not reaching my download speeds

walters199
Level 1
Level 1

‎08-06-2016 03:17 AM - edited ‎03-05-2019 04:27 AM

We try to replace our Palo Alto to an ASA 5505.

We have a Fiber line with 100mb up/down.

Upload is a constant 80/90 mb
Download keeps stuck at 35/40 mb

I have tried al the solutions mentioned on 

https://www.reddit.com/r/Cisco/comments/2u4o3n/asa_5505_bottlenecking_100mbps_internet_to_35mbps/

- We have no shapers configured
- The interface is set to 100mb full duplex
- used Gb switch between ISP and my ASA

I have searcht around but can`t find a solution.

Config below:

!!! I have noticed the CRC errors.
For the inside interface I replaced all my cables ( Numbers grow only with uploading where I have no troubles at the moment)
The CRC errors on the outside are from messing with the cables.

Any Ideas ?

interface Ethernet0/0
description FIBER
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 10
speed 100
duplex full


interface Vlan1
nameif outside
security-level 0
pppoe client vpdn group FIBER
ip address pppoe setroute
!
interface Vlan10
nameif DATA
security-level 100

mtu outside 1500 ( tried with 1492)
mtu DATA 1500
mtu SERVERS 1500
mtu MGT 1500

sysopt connection tcpmss 1452


FW-01# sh interface ethernet 0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: FIBER
Available but not configured via nameif
MAC address 30f7.0d2e.57c7, MTU not set
IP address unassigned
1411457 packets input, 1296786629 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
2167 input errors, 2167 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
3288 switch ingress policy drops
1768813 packets output, 1918191234 bytes, 0 underruns
0 pause output, 0 resume output
6999 output errors, 1399 collisions, 0 interface resets
0 late collisions, 340 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops



Interface Ethernet0/2 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 30f7.0d2e.57c9, MTU not set
IP address unassigned
684095 packets input, 690945987 bytes, 0 no buffer
Received 1886 broadcasts, 0 runts, 0 giants
4241 input errors, 4241 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1336 switch ingress policy drops
596307 packets output, 570227296 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops

FW-01# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 4454, drop 10, reset-drop 0, v6-fail-close 0
Inspect: ftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 3, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 1484, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0, v6-fail-close 0

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global


FW-01# sh version

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)

Compiled on Thu 09-May-13 15:37 by builders
System image file is "disk0:/asa912-k8.bin"
Config file at boot was "startup-config"

FW-01 up 1 hour 30 mins

Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎08-06-2016 03:35 AM

First: The 5505 is rated for 150 MBit/s with UDP under ideal test conditions. Whatever you configure, this device is to slow for your connection.

You still can try to improve the result a little bit:

  1. Make sure that your duplex-settings match the other side. The collisions/CRC errors should not increment any more
  2. Upgrade to the newest code.
  3. With PPPoE, an MTU of 1492 is correct. 
  4. Disable all unneeded inspections in your policy-map

But whatever you do, you won't reach line-rate.

walters199
Level 1
Level 1
In response to Karsten Iwen

‎08-08-2016 03:05 AM

Hi Karsten,

Thank you for your reply. I appreciate it.

I will ask my collegue from sales to look for a newer ASA 5508. I just checkt the capacity sheet and this device will probably reach the maximum troughput.

0 Helpful

scott.bridges
Level 1
Level 1
In response to walters199

‎08-09-2016 06:26 AM

You should be getting more than 35/40Mbps down.

I use a 5505 for my home connection and have 100/10 from my provider.  I just tested and was getting 87 down and a little over 10 up.  If you're getting half that, something is wrong.

I would double check the devices this ASA is connecting to.  I once had the same issue you're describing at home and it was due to me hard-coding the ASA at 100/Full, but the service provider modem was at Auto, and they auto-negotiated at Half duplex.  

Again, double check all connection points for duplex/speed mismatches.  That would be my first step.  But you should expect more than 40Mbps out of this device.

HTH

Preview file
16 KB

walters199
Level 1
Level 1
In response to scott.bridges

‎08-10-2016 08:07 AM

Thank for your reply Scott.

I will connect the asa again and see if it auto duplexes to full.
And confirm at the ISP if there device  also trains in at 100Mb full-duplex.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card