DMZ to INSIDE extremely slow file copying

kumarsundaram · ‎05-10-2013

All,

I have a Cisco ASA 5510. I am trying to copy large files between DMZ and INSIDE network and it is copying at awfully a slow speed. I thought it might have been related to duplex mismatch but it doesn't seem to be. DMZ interface is set at 100 full duplex. I programmed the port on the managed switch where the DMZ uplink is connected to be 100 full duplex. I even hard set the NIC on server to be 100 full. Nothing helped. So, I come to a conclusion it isn't the duplex mismatch but there gotta be something else on Cisco ASA.

I was googling for this issue and came across it could be a QoS policy. Now, checking my ASA I see a any to any global service_policy where it is defined to inspect certain protocols where 'netbios' is one of them (among others such as 'ftp', 'tftp', etc.

Could the slow copying be related to the above policy? Does anybody know what else I can check to overcome this problem? Could there be a bandwidth limitation between DMZ and INSIDE interface? How do I check?

Thanks a lot in advance.

kumarsundaram · ‎05-14-2013

Anyone?

tony.henry_2 · ‎05-15-2013

Kumar,

What is slow? How busy is the device? Not saying your not correct, just that you need to define your expectations a little better. The 5510 is capable of delivering 300 Mbps according to http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html under ideal conditions. What else is the 5510 doing that may using some of that throughput? How are you transferring these files? Has it worked better previously or is it a new installation? Are there logs available?

Tony

kumarsundaram · ‎05-16-2013

Tony,

Thank you for your reply. The idea is to do a backup of some files/folders from a server on DMZ to one our NAS on LAN. From the server console on DMZ I just tried to a regular windows copy/paste onto the NAS shared folder. The current copying speed is at 30 -50 Kbps. I should also mention DMZ to LAN access is controlled by accessing only specific ports on ASA. In this case, I only have TCP port 445 opened allowing access from DMZ to LAN for file sharing.

Althought, the DMZ and LAN co-existed for years this is a new attempt (not really a new setup) trying to copy the files from DMZ to LAN. There is no heavy load on 5510 at least between DMZ and LAN. There is only one server sitting on DMZ and about 10 LAN servers. Obviously, no problem copying between the servers on LAN as they all connected to gigabit switches. The problem is only a slow transfer speed when copying between DMZ and LAN or vice versa.

Tanveer Dewan · ‎06-08-2013

I am presuming you have also check the duplex settings on the lan interface of the ASA. is the problem only betwen dmz and lan? how's dmz to internet and lan to internet traffic?

check cpu utilization

memory utilization

how many nat translations do you see at the time of copying files? 'show xlate'

is the reverse lookup working fine for the servers in question?

paulstone80 · ‎06-08-2013

Hi,

What does the throughput look like if you copy the same file from the DMZ server to something else on the same DMZ subnet?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****