Re: ASA5508-X SLow File Transfer between VLAN's

thomo2710 · ‎01-22-2024

Hi,

Having an issue with slow file transfer speeds between servers in seperate vlans on a 5508-x and am wondering if there is anything that can be done to help?

Servers plug into Cisco 2960 switches and duplex auto/auto at 1Gbps

Servers in the DMZ vlan will only transfer files to servers in the TRU vlan at a max of 14MB/s (and vise versa)

Servers sending same file in the same vlan transfers at speeds expected of 1000F - 113MB/s

Only when the firewall gets involved for inter vlan traffic are we seeing massivly degraded file transfer speeds.

The networks are configured on the firewall as sub interfaces on the same physical interface

Anybody offer any pearls of wisdom please on either troubleshooting this further or things to try to improve?

Many Thanks

MHM Cisco World · ‎01-22-2024

Intra VLAN not inspect by the ASA

Inter VLAN (and ASA is GW) is inspection by ASA and this slow down transfer speed (but not these much).

Did you check the tcp mss size in asa it can small size lead to slow transfer.

MHM

Georg Pauwen · ‎01-22-2024

Hello,

post the full running config, maybe we can spot something ? Is that a 5508-X with FirePower ?

Joseph W. Doherty · ‎01-22-2024

Possibly others will suggest something to boost FW throughput.

Otherwise you may need to consider replacing the FW with a faster FW or selectively (and very carefully) bypass FW for some inside<>DMZ traffic.

BTW some 2960 models support limited routing.

thomo2710 · ‎01-25-2024

Apologies for the silence.

So we dug into this a bit more and when excluding 2 test hosts, 1 in each vlan from going through FirePower we got throughput at gigabit lan speeds - 113MB's on a file transfer, when dmz->tru vlan traffic going through firepower we see file transfer speeds dramatically reduced to 14MB/s

We have SSRS and web sites on the DMZ vlan and SQL on the TRU vlan.

Obv the gung-ho approach would be to exclude these hosts from going through the firepower - i feel like this is like taking a gun to a fist fight though and wouldnt be best practice?

Can you exclude certain protocols or ports only from going through the FirePower rather than entire hosts?

What would be the best approach in this scenario from a security point of view?

The firewall is the gateway for their respective vlans

Appreciate in adavnce any imput recieved.

Many Thanks

MHM Cisco World · ‎01-25-2024

If yoh have router or l3SW then you can make them direct connect and traffic not pass via ASA

This done by change GW in both host to point to router or l3sw instead of pointing toward the ASA

MHM

Georg Pauwen · ‎01-25-2024

Hello,

throughput under normal circumstances should be at least a lot higher than 14mb/s. It could be the MTU settings. As asked, if you post the full config, we can check and maybe we can spot something...

Joseph W. Doherty · ‎01-25-2024

@thomo2710 wrote:

What would be the best approach in this scenario from a security point of view?

Most security folk, I suspect, would recommend to continue to use the FW, as security is what they do well.

So again, if the FW is a bottleneck, and you cannot find a way to easily increase its throughput, and if you want much more throughput, either you need a FW with more capacity or you need to bypass it.