We help IT Professionals succeed at work.

Cisco ASA 5510 is throttling internet bandwidth

Jake Pratt
Jake Pratt asked
Medium Priority
Last Modified: 2013-04-30
I have a Cisco ASA 5510 that is throttling our internet bandwidth.  We recently upgraded from a Qwest 20 Mbit connection to a 100 Mbit connection.  The connection should be 100 up and down.  When I run speed tests, I get about 85 down and 4 up.

If I disable my "policy-map global_policy" on my ASA, I get about 88 down and 85 up.  So I know that there is something in the default packet inspection that is slowing things down.  Here are my policies on the ASA:

class-map inspection_default
 match default-inspection-traffic
class-map botnet-DNS
 match port udp eq domain
class-map ips_class_map
 match access-list traffic_for_ips
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
 class ips_class_map
  ips inline fail-open
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
service-policy global_policy global
service-policy botnet-policy interface Outside

As you can see, I have the botnet traffic filter as well, but the problem seems to be the "global_policy" policy.  If I do a "no service-policy global_policy global", then my upload bandwidth shoots up to 80+ Mbit/sec.  So, my question is, what packet inspection is happening to throttle my bandwidth?  What can I safely change to allow all my bandwidth?

Watch Question


Well, it looks like the problem is with my IPS inspection.  When I get rid of:
 class ips_class_map
  ips inline fail-open

My upload speed jumps way up.  Any ideas what I could look for in my IPS inspection to stop the throttling? I think the IPS module is an SSM-10.
Top Expert 2010

May just be processing speed depending on what traffic you have IPS looking at.  

>> match access-list traffic_for_ips

What traffic are you matching?    


I am matching all traffic:
access-list traffic_for_ips extended permit ip any any


I tried changing my IPS policy from inline to promiscuous, and my up speeds are now ranging from 7-15 Mbps, but still nowhere near what my down speeds are.  Any ideas on a better way to handle my IPS traffic inspection so it doesn't choke my upload speed so much?
Top Expert 2010

You might want to have a look at your total traffic....   If removing this policy eases the burden, you may want to target certain traffic.   i.e. only scan traffic coming into the network, or only traffic over port 80, for example.    Not sure if that is ideal in your setup though.  

You could try this to match only the port 80 traffic for example.

access-list traffic_for_ips extended permit tcp any any eq 80
access-list traffic_for_ips extended deny any any

or if you wanted to match all email and web

access-list traffic_for_ips extended permit tcp any any eq 80
access-list traffic_for_ips extended permit tcp any any eq 25
access-list traffic_for_ips extended deny any any

IF neither of those sound appealing, you may want to go to TAC on this one, IMHO.


I actually have a case opened with TAC.  If I get any results, I'll post them.
Top Expert 2010

ANy news...    I'm curious .
Unlock this solution and get a sample of our free trial.
(No credit card required)


After opening a case with Cisco TAC, I was able to find the solution outside, and post it on the site.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.