?
Solved

Cisco ASA 5510 is throttling internet bandwidth

Posted on 2011-04-26
9
Medium Priority
?
3,487 Views
Last Modified: 2013-04-30
I have a Cisco ASA 5510 that is throttling our internet bandwidth.  We recently upgraded from a Qwest 20 Mbit connection to a 100 Mbit connection.  The connection should be 100 up and down.  When I run speed tests, I get about 85 down and 4 up.

If I disable my "policy-map global_policy" on my ASA, I get about 88 down and 85 up.  So I know that there is something in the default packet inspection that is slowing things down.  Here are my policies on the ASA:

class-map inspection_default
 match default-inspection-traffic
class-map botnet-DNS
 match port udp eq domain
class-map ips_class_map
 match access-list traffic_for_ips
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
 class ips_class_map
  ips inline fail-open
policy-map botnet-policy
 class botnet-DNS
  inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy botnet-policy interface Outside

As you can see, I have the botnet traffic filter as well, but the problem seems to be the "global_policy" policy.  If I do a "no service-policy global_policy global", then my upload bandwidth shoots up to 80+ Mbit/sec.  So, my question is, what packet inspection is happening to throttle my bandwidth?  What can I safely change to allow all my bandwidth?

Thanks
0
Comment
Question by:Jake Pratt
  • 6
  • 3
9 Comments
 

Author Comment

by:Jake Pratt
ID: 35472567
Well, it looks like the problem is with my IPS inspection.  When I get rid of:
 class ips_class_map
  ips inline fail-open

My upload speed jumps way up.  Any ideas what I could look for in my IPS inspection to stop the throttling? I think the IPS module is an SSM-10.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35475867
May just be processing speed depending on what traffic you have IPS looking at.  

>> match access-list traffic_for_ips

What traffic are you matching?    
0
 

Author Comment

by:Jake Pratt
ID: 35476019
I am matching all traffic:
access-list traffic_for_ips extended permit ip any any
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:Jake Pratt
ID: 35477523
I tried changing my IPS policy from inline to promiscuous, and my up speeds are now ranging from 7-15 Mbps, but still nowhere near what my down speeds are.  Any ideas on a better way to handle my IPS traffic inspection so it doesn't choke my upload speed so much?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35477661
You might want to have a look at your total traffic....   If removing this policy eases the burden, you may want to target certain traffic.   i.e. only scan traffic coming into the network, or only traffic over port 80, for example.    Not sure if that is ideal in your setup though.  

You could try this to match only the port 80 traffic for example.

access-list traffic_for_ips extended permit tcp any any eq 80
access-list traffic_for_ips extended deny any any

or if you wanted to match all email and web

access-list traffic_for_ips extended permit tcp any any eq 80
access-list traffic_for_ips extended permit tcp any any eq 25
access-list traffic_for_ips extended deny any any



IF neither of those sound appealing, you may want to go to TAC on this one, IMHO.


0
 

Author Comment

by:Jake Pratt
ID: 35488087
I actually have a case opened with TAC.  If I get any results, I'll post them.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 35513956
ANy news...    I'm curious .
0
 

Accepted Solution

by:
Jake Pratt earned 0 total points
ID: 35725038
Ok yes, I seem to have found a solution.  There is a bug fix for that allows you to tune your IPS.  The details on the Bug toolkit can be found here:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv69844

Basically, this is the process I had to do:

Once the IPS is upgraded to the code that contains this enhancement,
the further configuration needs to be done as follows:

1. Log into the sensor via the service account and run the following commands:

bash-2.05b# su
bash-2.05b# /etc/init.d/cids stop
bash-2.05b# cd /usr/cids/idsRoot/etc
bash-2.05b# vi sensorApp.conf

2. Add the following lines:

[Process]
RegexDepth=800000

3. Save the file and exit the editor: "ZZ" or :wq

4. Reboot the sensor:

bash-2.05b# /etc/init.d/cids reboot

NOTE: 800000 is a suggested starting value, this might need to be lowered
depending on the specific network. The exact value needs to be adjusted
experimentally based on the performance monitoring.

One important thing to note is that you must SSH directly into the sensor.  If you session into it from within the ASA, you will lose your connection when you stop cids.  A little knowledge of using the vi editor is also required.  If anyone is not familiar with it, just do a quick Google search, you'll find a wealth of knowledge.

After tuning the IPS in the manner suggested in this article, my up speeds jumped up to 60-80 Mbps.  Huge improvement.
0
 

Author Closing Comment

by:Jake Pratt
ID: 35759566
After opening a case with Cisco TAC, I was able to find the solution outside, and post it on the site.
0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question