• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 931
  • Last Modified:

Bandwidth limited by ASA

I have a 20Mbit/sec leased line with no limit on burst download. When I test download speeds, I can see that it is limited to 25Mbit/sec. I moved them onto our old PIX to test it, and the bandwidth seems to reach 50Mbit/sec with it. This is a huge difference.
All other equipment is equal when I run the tests. Same server, same switch port. The only change is the gateway is switched from the ASA to the pix. What would cause this? The interface port on both is set to 100Mb/full, as is the next device that they connect to in the data centre.
CPU on the ASA stays around 8-9% during my tests.
I do have IPS enabled on the ASA, could this be the cause?
0
Cashbuddies
Asked:
Cashbuddies
  • 5
  • 3
  • 2
  • +3
3 Solutions
 
BurundiLappCommented:
Are you able to take the ASA out of the equation altogether and connect the leased line directly to a test workstation or server and perform your tests again?

Do you have control of the other end that you are downloading the data from, can you guarantee the performance from this endpoint?
0
 
CashbuddiesAuthor Commented:
Hi,
I can't remove the ASA and connect directly, as the next hop is not in our control.
I have control over the other end point, and everything is the same. A slight difference could be explained as a slight variation from the endpoint, but this is twice the bandwidth. Huge difference.

For more info:
Memory is around 11%.
And I notice that the outside interface on the asa has 66884 input errors, and they are all overrun errors.
0
 
Pete LongConsultantCommented:
>>the asa has 66884 input errors, and they are all overrun errors.

Set the speed and duplex of this interface manually
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Pete LongConsultantCommented:
ie

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124

or 'interface Vlan2" if its a 5505

Pete
0
 
CashbuddiesAuthor Commented:
Yep, its already set to 100full.
I cleared the stats for the input errors, and haven't had any more since. These were probably old ones from when we did change from auto to 100full back a few years ago.
0
 
aarieCommented:
Is the traffic passed through the IPS module you have in the ASA? Depending on the configuration of the IPS, this can have serious impact on the throughput. Each packet passing through the IPS will be inspected, which costs time, slowing down traffic.
0
 
asavenerCommented:
I do have IPS enabled on the ASA, could this be the cause?

According to this thread (https://supportforums.cisco.com/thread/2081067) there is a bug (CSCsv69844).

Workaround is to set the Regex Depth Setting to 800000.

Instructions here:  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv69844
0
 
CashbuddiesAuthor Commented:
I have logged a TAC with cisco.
I'll see what they recommend. Thanks for the pointers so far
0
 
giltjrCommented:
Which ASA model do you have?  Some obviouly are more powerful than others.

How many interface are connected and what are all their speeds?

The through-put a ASA  (even a PIX) can handle is total through-put between all interfaces combined.
0
 
CashbuddiesAuthor Commented:
It's a 5510 with 4 x 100Mb interfaces in use, a failover interface, and 2 VLANS.
0
 
giltjrCommented:
With IPS enabled you can either do 150 Mbps (AIP SSM-10) or 300 Mbps (AIP SSM-20).

Which one do you have installed?

Remember these are total system through-put.  So with 4 x 100 Mbps interfaces depending on traffic flowing through the ASA you could be hitting system max performance.

When you tested with the PIX did you move all interface and traffic to the PIX, or just the Internet traffic?

Can you monitor/measure the through-put on all of the ASA interfaces?
0
 
CashbuddiesAuthor Commented:
We have AIP SSM-10.
When I tested it I only moved this one server over to the PIX.

That could well explain the discrepancy. I have PRTG monitor on all the interfaces, so I can look at the  usage on the other interfaces whenever I see low throughput on the outside interface.
I'll close this off as I think that's a fair explanation. This morning the speed reached 65Mbit/sec with the ASA.
0
 
giltjrCommented:
Thanks for the points.

Using PRTG (or any other SNMP type tool) will help.  However, you only want to total up the bps on the inbound side of each interface.  That will give you the total amount of traffic that is flowing through the ASA.  Ignore the outbound bps.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now