Link to home
Start Free TrialLog in
Avatar of Winsoup

asked on

Cisco ASA 5505

We took over a small company that is using a Cisco ASA 5505 and we've noticed that their internet speeds we're slow.
They had their ISP come in and test and directly from the modem they are getting 200mbps down which is what they should get.
When we connect to the firewall then they are only getting 20mbps down.
I know that the 5505 probably isn't going to get 200mbps but shouldn't it be better than 20?  

I'm not an expert on this firewall so I'm not really sure where to look to see if there are any policies that could be causing this or what to look for next. I've tried using different ports on the firewall as well. Speeds are set to auto but I did also try manually setting them but that didn't change anything. Any help on what to check would be appreciated.

I can send any logs and configs as requested.

Thank you!!
Avatar of GM GM

"show inventory" what ASA5505 model do you have? If the PID show ASA5505 your Ethernet interfaces at most will be 100Mbps.

"show eth0/1"  you will see Auto-duplex, auto-speed(100Mbps).

"show run policy-map"   Do you see  ?
police output 2000000
police input 2000000

"show run policy-map" and confirm that you do not have any police or shape commands (double check the global policy) do a "show run service-policy" a confirm that you do not have any service policies applied to any interfaces.

Reference bandwidth limit article.
Avatar of Ernie Beek
Just to make sure, there isn't a mixup between Mbps and MBps is there?
Providers normally use mbps but a lot of software uses MBps.

Like GM GM said, have a look at your config (or post it here so we can have a look). The 5505 has 100mbps interfaces so you should be able to hit that (100mbps or 10MBps).

I have a 5505 at home (yeah, I know) with a 150mpbs internet connection and I am able to hit 10-11MBps with that. So my first guess would be that there is something in your config or hardware.
Avatar of Winsoup


Here are the outputs from the sh commands

User generated imageUser generated imageUser generated imageUser generated image
No confusion between Mbps and MBps as it works fine directly from the modem when the ISP tested it.
Your policy-map type... looks to be inspecting  http.   I was hoping you'll show a little more of your capture.  

Send me capture of  "show run | b policy-map" of everything.

show run class-map

show service-policy police
The 'service-policy' command on ASA that enabled to an interface thus control the amount of bandwidth.

look for "service-policy xxxx interface outside"
look for "service-policy xxxx interface  inside"
to remove add "no" in front of it.
Avatar of Winsoup


Here is the entire sh run log. (with IP's taken out of course)
ciscoasa# sh run 
: Saved
ASA Version 8.2(2) 
interface Vlan1
 nameif inside
 security-level 100
 ip address xxxxx
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxx
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
<--- More --->
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
regex blocked_domain5 "\.chartbeat\.net"
regex blocked_domain6 "\.foxsports\.com"
regex blocked_domain7 "\.mlb\.com"
regex blocked_domain8 "\.aolmedia\."
regex blocked_domain9 "\.xvideos\."
<--- More --->
regex blocked_domain1 "\.espn\.com"
regex blocked_domain2 "espn\."
regex blocked_domain3 "tinker\."
regex blocked_domain4 "\.howardstern\.com"
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxx
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service RDP-Access tcp-udp
 description Remote Desktop Protocol
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service 8080 tcp
 description 8080
 port-object eq 8080
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq 6036 
 service-object udp eq 6036 
<--- More --->
access-list outside_access_in extended permit tcp Postini any eq smtp 
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended deny object-group TCPUDP any interface outside object-group RDP-Access 
access-list outside_access_in extended permit tcp any interface outside 
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside 
access-list outside_access_in extended permit tcp any interface outside eq 81 
access-list Inside_access_out extended permit ip any any 
access-list user-acl extended deny tcp host any eq www 
access-list user-acl extended permit tcp any any eq www 
access-list user-acl extended permit tcp host any eq www 
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
<--- More --->
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface www www netmask 
static (inside,outside) udp interface www www netmask 
static (inside,outside) tcp interface https https netmask 
static (inside,outside) tcp interface 3389 3389 netmask 
static (inside,outside) udp interface 3389 3389 netmask 
static (inside,outside) tcp interface smtp smtp netmask 
static (inside,outside) tcp interface 6036 6036 netmask 
static (inside,outside) udp interface 6036 6036 netmask 
static (inside,outside) tcp interface 81 81 netmask 
access-group Inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside xxxxxxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http dmz
<--- More --->
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns xxxxxx interface inside
dhcpd domain xxxxx interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
<--- More --->
class-map type regex match-any blocked_domain_list
 match regex blocked_domain1
 match regex blocked_domain2
 match regex blocked_domain3
 match regex blocked_domain4
 match regex blocked_domain5
 match regex blocked_domain6
 match regex blocked_domain7
 match regex blocked_domain8
 match regex blocked_domain9
class-map type inspect http match-all blocked_domains_class
 match request header host regex class blocked_domain_list
policy-map type inspect http http_inspection_policy
 match request method connect
  drop-connection log
 class blocked_domains_class
  reset log
policy-map global_policy
<--- More --->
service-policy global_policy global
prompt hostname context 
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

ciscoasa#  exit


Open in new window

This is the output from sh run class-map
User generated image
Sh service-policy police doesn't have any output
I don't see anything that would throttle your bandwidth.

Two approaches that I would try.  But first be sure you perform a backup config.

1. " no service-policy global_policy global"   Turn off your http and blocked domains inspection,  global applies the policy map to all interfaces.    Then check your speed to isolate.

2.  Open a ticket with your ISP, configure your uplink interface to static.  Be sure you have them on phone and then to implement.  I have seen/experienced even though your show interface is Auto-Duplex (Full-duplex), Auto-speed(100 Mbps) it still cause issue.

interface Ethernet0/0
speed 100
duplex full
Avatar of Winsoup


I have done step 2 already with their ISP and it didn't make a difference for us.

Issue I have with making too many changes to the firewall is that I am in Minnesota and they are in Florida so if I get disconnected then I can't get back in.
I guess I could just not write the change and have them restart the firewall if necessary
Perform after hours.  Reload will not save config, don't  "wr mem" until you're certain.  For remote network changes it is best to use 'reload' as a backdoor so even if you're disconnected, you'll wait a few minutes.

The following example reloads ASA in 10 minutes:
ASA5505#reload in 10

To aborts scheduled reload:
ASA5505#reload cancel
Avatar of Winsoup


I removed the global policy and tested but it's still getting 20Mbps
Avatar of Winsoup


What causes all these policy drops? Could that be part of the issue here?

User generated image
The 5505 is rated up to a maximum of 150Mbps under ideal conditions. Realized throughput can/will be much less depending on the traffic in and out of your networks. VPN throughput is considerably less. I would expect you could realistically expect the 50-75Mbps for IMIX.

What type of internet service do you have and from whom? You are paying for 200Mbps+?

harbor235 ;}
Avatar of Winsoup


There is no VPN set up on there as of right now. They only have about 20 PC's connected to it.

Not sure on the type as I haven't been there and this is a pretty new acquisition for us. I believe it's Brighthouse and yes the service being paid for is 200Mbps.
They had a tech come in and test it with the firewall out of the picture and they were getting 170+ but as soon as the firewall was back in the picture it dropped back down to 20.
Avatar of GM GM

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I would also ask how performance was tested, The 5505 cannot sustain a maximum of  5k connections per second. realistically it is much less. Also, firewalls in general do not handle small packets well either. So it is important to know how the test was performed.

A good test for you to perform is a FTP from inside your network to outside your network.
FTP provides a summary of the application throughput when completed, can you provide that information?

harbor235 ;}
Avatar of Winsoup


Any certain FTP application I should use to be able to see the summary?
No, typically I believe all of them provide the summary information on completion.

e.g. X bytes transferred in X seconds, from that we can get application throughput and then approximate reasonable  network performance.

harbor235 ;}
Avatar of Winsoup


This is from a 10MB file.

User generated image

Here is what I get on a 100Mbps connection that is actually working.

User generated image
So that is ~4-5Mbps for that single ftp flow , not sure if anything else is going through that firewall at the time? and what the interface stats look like?

show interface <enter external interface here> when doing the xfer, looking for the rate or bps fields

harbor235 ;}
Avatar of Winsoup


Is this what you're looking for? The first one is before the transfer and the second is during.

User generated image
Not much traffic, I would need to see how your network is put together, hard to tell from what we have here.

harbor235 ;}
Avatar of Winsoup


How do I find out what these scanning attacks are?
User generated image
is youre connection symetric. if not put youre interface on half duplex, this wil fix youre issue
Avatar of Winsoup


We got a switch and put it between the ISP and the Firewall and the speed went up to about 94bps so that worked!

Thanks everyone for your responses.