08-10-2010 11:58 AM - edited 03-04-2019 09:22 AM
I have what i think to be a routing question. Below is an what i see to be the problem.
MPLS (to remote site) Firewall Cisco ASA 5510 (Between Network and Metro E)
The MPLS is connected to the network switch on the inside of the firewall, i know that is not the way it should be but that is what i stepped into when i took the role. All internal devices look at the mpls router (172.16.1.1) for there default gateway. This morning i was working with our ISP for the metro E and found that if i run a speed test with my gateway setup as 172.16.1.1 i only get around 2mbps upload, if i change the default gateway to the firewall i get between 9 and 10mbps upload. Working with the ISP they are thinking that there is something with the ASA causing this to slow the traffic down.
I have check the speed from all the other networks on the asa and do not have the same problem, the test comes back with about 9.5mbps both up and down.
I have posted the running config of the firewall, can someone look over it and see if there is anything that i might be missing or need to change?
08-10-2010 12:48 PM
Why your ISP router is in the same IP range as your inside firewall? This may be your main issue.
Are u running transparent mode on your firewall?
Your router and the inside firewall address can not be in the same subnet.
Either your L-3 switch or the firewall should be the default gateway to your internal devices.
It should be: Router:10.10.10.1, outside-the-firewall-10.10.10.2, inside firewall 172.16.1.10 or your L3 switch .11.
on your L3 switch:ip route 0 0 172.16.1.10 <
on your L2 switch:default-gateway 172.16.1.10
on your firewall: route outside 0 0 10.10.10.1 to your ISP.
Are these live IPs 192.199.1.x and 192.168.1.x or typo?
Looks like a clean up needs to be done.
Take your time and verify every connectivity route.
08-10-2010 12:55 PM
Sorry for the confusion.
The 172.16.1.1 is a point to point router, not the internet router, as for it being on the inside of the firewall that is the way it was setup when i came to work here.
As for the 192.199.1.x and the 192.168.1.x yes they are both live address, the 192.199.1.x is a network that is attached through the firewall, the 192.168.1.x is the other end of the point to point (172.16.1.1 router).
Yes i will agree that a clean up is needed on the firewal but really i dont quite know where to start.
08-10-2010 01:16 PM
It appears you are 'hair pinning' the internet traffic off your WAN router. Not an optimal situation, but I've stepped into that situation before myself. I'm going to guess that if a more specific WAN route isnt found the WAN router forwards the traffic to the firewall? This turns an ethernet segment into an inefficient ring.
There are a number of reasons a flow may not be able to develop good throughput when hair pinning through a network device. A duplex mismatch, high CPU on the device that's hair pinning, interface errors, high bandwidth utilization on the hair pinning interface.
Why not make the ASA the default gateway? If your downstream switch is layer 3 then add the WAN routes to it; or let them learn them dynamicly. If the downstream switch isnt capable of routing consider adding the more specific routes to the ASA; see if it deals with the WAN traffic hair pinning any better.
08-10-2010 01:52 PM
Yes the wan router is hair pinning traffic from itself to the firewall and i do not really know what to do to correct this.
If i set a device with the asa as the default gateway it is unable to pass traffic from itself to the wan and a device on the wan can not pass traffic to it. That would be my reason for hair pinning on the wan device. I do know that i did setup hair pinning on the asa, for the 192.199.1.x network.
Is there a line that i can put in the asa to resolve the traffic not passing to the wan or wan traffic not passing to the lan?
08-10-2010 02:09 PM
The following commands appear to be why 192.168.1.0/24 can hairpin on the inside interface to the WAN router.
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
route inside 192.168.1.0 255.255.255.0 172.16.1.1 1
Hair pinning is never optimal, so I hesitate to suggest you do it on the ASA; but if it results in a better service than the current configuration it may be worth a shot in the short term. Check the WAN router/switch interfaces for errors. Perhaps there's a bad cable or the interfaces have negotiated something unintended that's resulting in poor service. I would generally expect a router to deal with hair pinning better than a firewall.
The long term solution is a layer three switch wedged between the ASA and the WAN router. Something of a campus aggregation smart switch fabric. The L3 switch would then be the default gateway of campus hosts and forward the traffic to the firewall or WAN router as appropriate.
08-10-2010 02:27 PM
Thank you for you help, after the last post that you made i went through and removed
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 from my asa.
I believe im going to have to talk with my ISP to get the changes made on the router to correct the problem.
I just did a little trouble shooting.
From a device on the wan (192.168.1.x/24 network) to a divice on the lan (172.16.1.x/16 Network), as long as the device on the lan had the wan router as the default gateway i was able to pass traffic back and forth, once the default gateway was changed to the asa (As i think it should be) they were unable to pass traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: