03-01-2019 01:25 PM
CIsco ASA 5505 (9.1.7 31)
with Cisco 881 (12.4 22) and 1921 (15.4-3.M9) as remote Site -to - Site
Users are seeing performance problems on RDS
Here are the asp drop stats
Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 245
VPN reclassify failed (vpn-reclassify-failed) 2
ttl exceeded (ttl-exceeded) 12
No valid adjacency (no-adjacency) 428
No route to host (no-route) 1127
Flow is denied by configured rule (acl-drop) 301843
Invalid SPI (np-sp-invalid-spi) 6988
First TCP packet not SYN (tcp-not-syn) 134246
TCP failed 3 way handshake (tcp-3whs-failed) 7931
TCP RST/FIN out of order (tcp-rstfin-ooo) 332553
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 1
TCP SYNACK on established conn (tcp-synack-ooo) 12
TCP packet SEQ past window (tcp-seq-past-win) 489
TCP invalid ACK (tcp-invalid-ack) 3
TCP RST/SYN in window (tcp-rst-syn-in-win) 305
TCP packet failed PAWS test (tcp-paws-fail) 373
Slowpath security checks failed (sp-security-failed) 108401
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 4
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 8
DNS Inspect invalid packet (inspect-dns-invalid-pak) 11
DNS Inspect id not matched (inspect-dns-id-not-matched) 548
FP L2 rule drop (l2_acl) 364
Interface is down (interface-down) 2
Non-IP packet received in routed mode (non-ip-pkt-in-routed-mode) 1
Packet shunned (shunned) 84311
Dropped pending packets in a closed socket (np-socket-closed) 142
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 338094
Last clearing: Never
Flow drop:
Tunnel has been torn down (tunnel-torn-down) 4
Need to start IKE negotiation (need-ike) 5966
VPN decryption missing (vpn-missing-decrypt) 8
Flow shunned (shunned) 3342
Inspection failure (inspect-fail) 34560
SSL handshake failed (ssl-handshake-failed) 6
Am wondering is this is a fragmentation issue
There are no ip tcp adjust-mss statements on the inside interface of any of the routers
There are no IP mtu statements on the outside interface of any of the routers
Thanks,
Steve
03-01-2019 01:59 PM
Difficult to say if fragmentation is the cause of your performance issues by just looking at this output. Also, the ASA sets the TCP mss value to 1380 by default.
asa# show run all sysopt sysopt connection tcpmss 1380
That being said, you might have to apply packet captures at the ASA inside, router inside to see if there are a large number of drops/re-transmissions that could cause slowness. Plus, you are sending traffic through the internet, so the service providers may also rate limit traffic if there is a large amount of data. Also, if you can, try adding an MSS of at least 1400 on the router LAN side so that you eliminate the need for fragmentation for pre-encrypted TCP traffic.
03-03-2019 01:59 PM
So, to clarify ...
On the 881 and 1921. set the tcp adjust-mss to 1400 on the inside interface ?
03-04-2019 07:59 AM
Sorry, MSS has to be set to 1360 bytes. This effectively sets the MTU of all the TCP packets to 1400 and avoids fragmentation of encrypted packets.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide