Showing results for 
Search instead for 
Did you mean: 

TCP connections that pass through the ASA firewall are very slow when the SSM module is enabled


Core issue

This issue can occur due to the presence of Cisco bug ID CSCse46220.

This problem occurs as ASA attempts to re-order all packets matched in the access-list of the associated class.


In order to resolve this issue, complete these steps:

  1. Adjust the access-list reference in the class-map command in order to remove the problem traffic from inspection by the SSM.
  2. Increase the queue-limit under the tcp-map command. This can help with performance, although it can take some trial and error in order to find the optimal queue-limit value that delivers the best performance.
  3. Clear the selective-ack and timestamp options from the tcp-options command.

This is an example of an adjusted queue-limit with cleared selective-ack and timestamp options:

hostname(config)#tcp-map tmap
hostname(config)#tcp-options timestamp clear
hostname(config)#tcp-options selective-ack clear
hostname(config-tcp-map)#queue-limit <#>

The other workaround is to go to Cisco Downloads in order to install the version 7.2(1.27) or the latest version.