Solved

Cisco ASA 5505 - Maximum Bandwidth Usage

Posted on 2013-05-20
11
1,606 Views
Last Modified: 2013-05-22
Hi,

Managing a Cisco ASA 5505 connected to a DSL modem (10MB upload and about 850kbps download).  Total of about 10 users plus three servers.

On Friday, all 10 users were in the office and the DSL connection was functioning as it should.  Round trip ping times were where they should be and overall, the speed was good.

Today, there is latency when pinging outside hosts and the connection is slow.  The ASDM is showing that the output value for the outside connection is between 850kbps and 900kbps continuous (going on 3+ hours now).  Therefore it appears that I am maxing out the upload portion of my DSL connection.  There are nine users in the office today and to my knowledge none of them are uploading any files that would take 3+ hours.

What could explain the drastic change from Friday to Monday?

Thanks
0
Comment
Question by:TacomaVA
  • 4
  • 4
  • 3
11 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 250 total points
ID: 39182124
All sorts of things... viruses/adware/spyware, backup programs like mozy, etc.

There are a couple ways to figure out who's doing the uploading. The down and dirty way is to unplug one pc at a time and test the up/down speeds until you figure out who it is. You may need to have multiple people unplugged to figure this out if you caught a virus of some sort.
Alternately, configure netflow if your ASA is IOS 8.2.5 or better, and download a netflow collector trial. I use PRTG as it's free up to 10 sensors and just recently helped my customer find a backup device that was uploading 10's of gigs to the cloud during the day.

It would also be a good idea to power cycle the modem and asa just in case something goofy is happening with them.

You could also disconnect the ASA, and plug a laptop directly in to the modem and test the speeds. If you still get crappy speeds, then most likely the speed issues have nothing to do with your internal network.
0
 

Author Comment

by:TacomaVA
ID: 39182349
Thanks rauenpc, I'll shutdown the devices this evening and see what happens.

One thing I have noticed is that the output bit rate on the outside interface has varied quite a bit today.  For example, during one 60 second window, the bit rate was 679, 129, 15, 58, 10, 513.  Then a bit later on, during another 60 second window, the bit rate was 867, 870,  860, 875, 706, 652.  Does that mean anything that it is so varied?

Thanks
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39182472
um... maybe. There are many reasons that it could be varied. This ranges from business as usual to malicious threats. The only good way to determine how normal traffic goes for your office would be to monitor traffic over a period of time so you can see historical data.
0
 

Author Comment

by:TacomaVA
ID: 39182912
Hi rauenpc.  I stopped by the office this evening (15min after close) after everyone had left and I checked the output Kbps for the outside interface.  It was running between 0 and 45 Kbps.  A few of the users had shut their machines down, so I started those machines and verified that all Ethernet equipped devices were powered on.  The outside interface was still showing between 0 and 45 Kbps.

On two machines, I ran a few updates just to put some traffic on the network and when I did, the output for the outside interface increased briefly (~175Kbps), but then went back to between 0 and 45Kbps.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39183159
Perhaps this is a sporadic occurrence of high bandwidth utilization, or it could be time-of-day related. You're in a situation that's great when you have fancy data collectors that can show you bandwidth utilization in a historical manner, but unfortunate when you can only take a guess and check approach which can be very fast or tediously slow. Perhaps give shutting machines down a try during times of congestion.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 39183739
Hi,

What I usually do if there is no monitoring software available to help is that I check the NAT translations and check for weird behaviour. For example hosts running a lot of connections on really high port numbers which in my network can show tendencies of peer to peer traffic.

Command: show xlate

For your servers you can use Performance Monitor (if you run Windows Server) in order to see if there is any unusual behaviour.
Though, for a file server for example this might not give you any clues of course.
0
 

Author Comment

by:TacomaVA
ID: 39184952
Thanks MarcusSjogren and rauenpc.  Today, my output for the outside interface is 800Kbps to 850Kbps.  It's a 10MB download and 868Kbps upload DSL connection.  However, if I run a broadband speed test, I don't get anywhere near those speeds (3.56MB and 500Kbps or so).

At this moment, I have 7 of 10 users using individual FirePass or Cisco VPN clients.  Could seven outbound VPN clients eat up 800Kbps of bandwidth?

Thanks
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39185054
Sure, just depends on what they are doing. Idle VPN connections will not eat up that much, but the users could be doing all sorts of things. Again, this is a tough troubleshooting spot when there is no monitoring in place such as netflow.

Also, when doing the speed test you will only get the 10m/868k when no one else is using the link. If half of the link of chewed up by others, the speed test will only have the remaining half of the link to test with so your speed results would be about half of your max.
0
 
LVL 4

Assisted Solution

by:MarcusSjogren
MarcusSjogren earned 250 total points
ID: 39186926
Hi,

As rauenpc says - one user can consume all bandwidth and ten users can consume almost nothing, all depends on what they are doing.
Even though the below might solve some of your issues - it's of course always best to find what is causing the behaviour.

Also consider upgrading your DSL-connection as 800kbit/s is not much for 10 users and some servers to share, 50kbit/s is easily consumed today.

What I would do if I were you is that I would put priority on the services that you find important. Some might say that it wont make much difference to just have priority in the local firewall, but it actually does great difference.

Note that web-browsing is not important so don't put any priority on it. :-)

Check here in order to find out how to do it: http://wiki.yawhois.com/wiki/index.php/Cisco_ASA_-_Configure_QoS_for_VoIP

The traffic matching is done using the below line so you need to adjust it to match your preferences:
match dscp ef

Good luck!
0
 

Author Comment

by:TacomaVA
ID: 39187987
Thank you to both of you for your help.  I was able to troubleshoot this issue yesterday evening.

I pulled the send/receive data for each port on the switch and found a port that was sending an excessive amount of data.  That particular user is using a MacBook Pro with Outlook 2011.  This AM I noticed that the bandwidth issues began shortly after this particular user powered on his laptop and began working in Outlook.

After a bit of Google searching, I found out that there is a syncing problem with Outlook for Mac 2011.  I looked at the user's Outlook and found the deleted items folder was trying to upload 275 messages to the Exchange server, but was unable to.  For whatever reason, when Outlook for Mac 2011 was attempting to upload the messages, it consumed the entire upload bandwidth.  Once I fixed the upload issue in Outlook, the upload bandwidth returned to normal levels.

Here are two links for information on this issue:
http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macoutlook/outlook-2011-high-network-bandwidth-useage-after/a92ff1c9-7126-454a-8f7e-f49074094a41

http://community.office365.com/en-us/forums/158/t/59104.aspx
0
 
LVL 4

Expert Comment

by:MarcusSjogren
ID: 39188000
There you go! Good job!

Outlook for MAC is and has always been very shaky so I'm not surprised  at all.

Marcus
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now