?
Solved

Bandwidth limited by ASA

Posted on 2013-05-10
13
Medium Priority
?
913 Views
Last Modified: 2013-05-14
I have a 20Mbit/sec leased line with no limit on burst download. When I test download speeds, I can see that it is limited to 25Mbit/sec. I moved them onto our old PIX to test it, and the bandwidth seems to reach 50Mbit/sec with it. This is a huge difference.
All other equipment is equal when I run the tests. Same server, same switch port. The only change is the gateway is switched from the ASA to the pix. What would cause this? The interface port on both is set to 100Mb/full, as is the next device that they connect to in the data centre.
CPU on the ASA stays around 8-9% during my tests.
I do have IPS enabled on the ASA, could this be the cause?
0
Comment
Question by:Cashbuddies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 6

Assisted Solution

by:BurundiLapp
BurundiLapp earned 532 total points
ID: 39155146
Are you able to take the ASA out of the equation altogether and connect the leased line directly to a test workstation or server and perform your tests again?

Do you have control of the other end that you are downloading the data from, can you guarantee the performance from this endpoint?
0
 

Author Comment

by:Cashbuddies
ID: 39155171
Hi,
I can't remove the ASA and connect directly, as the next hop is not in our control.
I have control over the other end point, and everything is the same. A slight difference could be explained as a slight variation from the endpoint, but this is twice the bandwidth. Huge difference.

For more info:
Memory is around 11%.
And I notice that the outside interface on the asa has 66884 input errors, and they are all overrun errors.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 39155444
>>the asa has 66884 input errors, and they are all overrun errors.

Set the speed and duplex of this interface manually
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 268 total points
ID: 39155460
ie

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124

or 'interface Vlan2" if its a 5505

Pete
0
 

Author Comment

by:Cashbuddies
ID: 39155604
Yep, its already set to 100full.
I cleared the stats for the input errors, and haven't had any more since. These were probably old ones from when we did change from auto to 100full back a few years ago.
0
 
LVL 5

Expert Comment

by:aarie
ID: 39156027
Is the traffic passed through the IPS module you have in the ASA? Depending on the configuration of the IPS, this can have serious impact on the throughput. Each packet passing through the IPS will be inspected, which costs time, slowing down traffic.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39156066
I do have IPS enabled on the ASA, could this be the cause?

According to this thread (https://supportforums.cisco.com/thread/2081067) there is a bug (CSCsv69844).

Workaround is to set the Regex Depth Setting to 800000.

Instructions here:  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv69844
0
 

Author Comment

by:Cashbuddies
ID: 39160856
I have logged a TAC with cisco.
I'll see what they recommend. Thanks for the pointers so far
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39162816
Which ASA model do you have?  Some obviouly are more powerful than others.

How many interface are connected and what are all their speeds?

The through-put a ASA  (even a PIX) can handle is total through-put between all interfaces combined.
0
 

Author Comment

by:Cashbuddies
ID: 39163776
It's a 5510 with 4 x 100Mb interfaces in use, a failover interface, and 2 VLANS.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 800 total points
ID: 39164409
With IPS enabled you can either do 150 Mbps (AIP SSM-10) or 300 Mbps (AIP SSM-20).

Which one do you have installed?

Remember these are total system through-put.  So with 4 x 100 Mbps interfaces depending on traffic flowing through the ASA you could be hitting system max performance.

When you tested with the PIX did you move all interface and traffic to the PIX, or just the Internet traffic?

Can you monitor/measure the through-put on all of the ASA interfaces?
0
 

Author Comment

by:Cashbuddies
ID: 39164420
We have AIP SSM-10.
When I tested it I only moved this one server over to the PIX.

That could well explain the discrepancy. I have PRTG monitor on all the interfaces, so I can look at the  usage on the other interfaces whenever I see low throughput on the outside interface.
I'll close this off as I think that's a fair explanation. This morning the speed reached 65Mbit/sec with the ASA.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39164936
Thanks for the points.

Using PRTG (or any other SNMP type tool) will help.  However, you only want to total up the bps on the inbound side of each interface.  That will give you the total amount of traffic that is flowing through the ASA.  Ignore the outbound bps.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month15 days, 11 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question