Cisco ASA 5510 is throttling internet bandwidth

Posted on 2011-04-26
Last Modified: 2013-04-30
I have a Cisco ASA 5510 that is throttling our internet bandwidth.  We recently upgraded from a Qwest 20 Mbit connection to a 100 Mbit connection.  The connection should be 100 up and down.  When I run speed tests, I get about 85 down and 4 up.

If I disable my "policy-map global_policy" on my ASA, I get about 88 down and 85 up.  So I know that there is something in the default packet inspection that is slowing things down.  Here are my policies on the ASA:

class-map inspection_default
 match default-inspection-traffic
class-map botnet-DNS
 match port udp eq domain
class-map ips_class_map
 match access-list traffic_for_ips
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
 class ips_class_map
  ips inline fail-open
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy global_policy global
service-policy botnet-policy interface Outside

As you can see, I have the botnet traffic filter as well, but the problem seems to be the "global_policy" policy.  If I do a "no service-policy global_policy global", then my upload bandwidth shoots up to 80+ Mbit/sec.  So, my question is, what packet inspection is happening to throttle my bandwidth?  What can I safely change to allow all my bandwidth?

Question by:Jake Pratt

    Author Comment

    by:Jake Pratt
    Well, it looks like the problem is with my IPS inspection.  When I get rid of:
     class ips_class_map
      ips inline fail-open

    My upload speed jumps way up.  Any ideas what I could look for in my IPS inspection to stop the throttling? I think the IPS module is an SSM-10.
    LVL 33

    Expert Comment

    May just be processing speed depending on what traffic you have IPS looking at.  

    >> match access-list traffic_for_ips

    What traffic are you matching?    

    Author Comment

    by:Jake Pratt
    I am matching all traffic:
    access-list traffic_for_ips extended permit ip any any

    Author Comment

    by:Jake Pratt
    I tried changing my IPS policy from inline to promiscuous, and my up speeds are now ranging from 7-15 Mbps, but still nowhere near what my down speeds are.  Any ideas on a better way to handle my IPS traffic inspection so it doesn't choke my upload speed so much?
    LVL 33

    Expert Comment

    You might want to have a look at your total traffic....   If removing this policy eases the burden, you may want to target certain traffic.   i.e. only scan traffic coming into the network, or only traffic over port 80, for example.    Not sure if that is ideal in your setup though.  

    You could try this to match only the port 80 traffic for example.

    access-list traffic_for_ips extended permit tcp any any eq 80
    access-list traffic_for_ips extended deny any any

    or if you wanted to match all email and web

    access-list traffic_for_ips extended permit tcp any any eq 80
    access-list traffic_for_ips extended permit tcp any any eq 25
    access-list traffic_for_ips extended deny any any

    IF neither of those sound appealing, you may want to go to TAC on this one, IMHO.


    Author Comment

    by:Jake Pratt
    I actually have a case opened with TAC.  If I get any results, I'll post them.
    LVL 33

    Expert Comment

    ANy news...    I'm curious .

    Accepted Solution

    Ok yes, I seem to have found a solution.  There is a bug fix for that allows you to tune your IPS.  The details on the Bug toolkit can be found here:

    Basically, this is the process I had to do:

    Once the IPS is upgraded to the code that contains this enhancement,
    the further configuration needs to be done as follows:

    1. Log into the sensor via the service account and run the following commands:

    bash-2.05b# su
    bash-2.05b# /etc/init.d/cids stop
    bash-2.05b# cd /usr/cids/idsRoot/etc
    bash-2.05b# vi sensorApp.conf

    2. Add the following lines:


    3. Save the file and exit the editor: "ZZ" or :wq

    4. Reboot the sensor:

    bash-2.05b# /etc/init.d/cids reboot

    NOTE: 800000 is a suggested starting value, this might need to be lowered
    depending on the specific network. The exact value needs to be adjusted
    experimentally based on the performance monitoring.

    One important thing to note is that you must SSH directly into the sensor.  If you session into it from within the ASA, you will lose your connection when you stop cids.  A little knowledge of using the vi editor is also required.  If anyone is not familiar with it, just do a quick Google search, you'll find a wealth of knowledge.

    After tuning the IPS in the manner suggested in this article, my up speeds jumped up to 60-80 Mbps.  Huge improvement.

    Author Closing Comment

    by:Jake Pratt
    After opening a case with Cisco TAC, I was able to find the solution outside, and post it on the site.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now