ASA 5505 Slowing Internet
I have an ASA 5505 that's absolutely killing our Internet connection - takes 80Mbps down / 20Mbps up and slows it to 9/1 - confirmed by plugging directly into Comcast modem. There is an SSL VPN tunnel between our office and HQ, and QoS / prioritizing for our VoIP phones in place (VoIP server at HQ). The problem persists even when tunnels are disabled. When I disabled all traffic shaping / prioritizing rules the upload speed is restored but download is unchanged. When running a speed test, the download begins at around 25Mbps then quickly slows to around 9Mbps. Upload speed is consistently around 1Mbps. I'm not very familiar with Cisco, taking over this client from a previous IT person. Not sure what to check from here - any advice?
ASKER
PC Thread 5Sec 1Min 5Min Process
0805520c c69ab7b8 0.0% 0.0% 0.0% block_diag
081a86c4 c69ab3c8 0.3% 0.3% 0.5% Dispatch Unit
08f095a3 c69aade0 0.0% 0.0% 0.0% y88acs06 OneSec Thread
08069f06 c69aa9f0 0.0% 0.0% 0.0% Reload Control Thread
08072196 c69aa7f8 0.0% 0.0% 0.0% aaa
08c73c5d c69aa600 0.0% 0.0% 0.0% UserFromCert Thread
080a6f36 c69aa210 0.0% 0.0% 0.0% CMGR Server Process
080a7445 c69aa018 0.0% 0.0% 0.0% CMGR Timer Process
081a7aec c69a9838 0.0% 0.0% 0.0% dbgtrace
08475565 c69a9058 0.0% 0.0% 0.0% eswilp_svi_init
08c73c5d c69a8098 0.0% 0.0% 0.0% netfs_thread_init
09311e85 c69a76c0 0.0% 0.0% 0.0% Chunk Manager
088e2cbe c69a74c8 0.0% 0.0% 0.0% PIX Garbage Collector
088d6084 c69a72d0 0.0% 0.0% 0.0% IP Address Assign
08ab0196 c69a70d8 0.0% 0.0% 0.0% QoS Support Module
0895273f c69a6ee0 0.0% 0.0% 0.0% Client Update Task
09361e8a c69a6ce8 0.0% 0.0% 0.0% Checkheaps
08ab46c5 c69a6700 0.0% 0.0% 0.0% Quack process
08b0c232 c69a6508 0.0% 0.0% 0.0% Session Manager
08c1f4b5 c69a6118 0.0% 0.0% 0.0% uauth
08bbdaf5 c69a5f20 0.0% 0.0% 0.0% Uauth_Proxy
08bf419e c69a5938 0.0% 0.0% 0.0% SSL
08c1d446 c69a5740 0.0% 0.0% 0.0% SMTP
08c15df6 c69a5548 0.0% 0.0% 0.0% Logger
08c166a8 c69a5350 0.0% 0.0% 0.0% Syslog Retry Thread
08c1066e c69a5158 0.0% 0.0% 0.0% Thread Logger
08e448a2 c69a4390 0.0% 0.0% 0.0% vpnlb_thread
08f0bb35 c69a3bb0 0.0% 0.0% 0.0% pci_nt_bridge
08279c1d c69a37c0 0.0% 0.0% 0.0% TLS Proxy Inspector
08b25ed3 c69a35c8 0.0% 0.0% 0.0% emweb/cifs_timer
0869fa57 c69a33d0 0.0% 0.0% 0.0% netfs_mount_handler
08535028 c69a31d8 0.0% 0.0% 0.0% arp_timer
0853cdac c69a2fe0 0.0% 0.0% 0.0% arp_forward_thread
085acbc5 c69a2de8 0.0% 0.0% 0.0% Lic TMR
08c22491 c69a2bf0 0.0% 0.0% 0.0% tcp_fast
08c255f0 c69a29f8 0.0% 0.0% 0.0% tcp_slow
08c50bc9 c69a2800 0.0% 0.0% 0.0% udp_timer
080fd9f8 c69a2608 0.0% 0.0% 0.0% CTCP Timer process
08df3493 c69a2410 0.0% 0.0% 0.0% L2TP data daemon
08df4263 c69a2218 0.0% 0.0% 0.0% L2TP mgmt daemon
08de05f8 c69a2020 0.0% 0.0% 0.0% ppp_timer_thread
08e44d77 c69a1e28 0.0% 0.0% 0.0% vpnlb_timer_thread
08114d7f c69a1c30 0.0% 0.0% 0.0% IPsec message handler
0812904c c69a1a38 0.0% 0.0% 0.0% CTM message handler
089b1589 c69a1840 0.0% 0.0% 0.0% NAT security-level reconfigurat ion
08ae0068 c69a1648 0.0% 0.0% 0.0% ICMP event handler
08dafa74 c69a1450 0.0% 0.0% 0.0% Dynamic Filter VC Housekeeper
08837353 c69a1258 0.0% 0.0% 0.0% IP Background
08190627 c69a1060 0.0% 0.0% 0.0% tmatch compile thread
089e0f75 c69a0e68 0.0% 0.0% 0.0% Crypto PKI RECV
089e44aa c69a0c70 0.0% 0.0% 0.0% Crypto CA
08a1b8e3 c69a0a78 0.0% 0.0% 0.0% CERT API
085da33d c69a0880 0.0% 0.0% 0.0% ESW_MRVL switch interrupt servi ce
08a5ef60 c69a0688 0.0% 0.0% 0.0% lina_int
085d2cec c69a0490 13.3% 9.3% 9.6% esw_stats
088f4e48 c69a0298 0.0% 0.0% 0.0% uauth_urlb clean
088dc0bf c69a00a0 0.0% 0.0% 0.0% pm_timer_thread
084c3609 c699fea8 0.0% 0.0% 0.0% IKE Timekeeper
084b6fa1 c699fcb0 0.0% 0.0% 0.0% IKE Daemon
08bd096a c699fab8 0.0% 0.0% 0.0% RADIUS Proxy Event Daemon
08b9f28b c699f8c0 0.0% 0.0% 0.0% RADIUS Proxy Listener
08bcf567 c699f6c8 0.0% 0.0% 0.0% RADIUS Proxy Time Keeper
08523ff5 c699f4d0 0.0% 0.0% 0.0% Integrity FW Task
081c065b c699f2d8 0.0% 0.0% 0.0% ci/console
0891511c c699f0e0 0.0% 0.0% 0.0% update_cpu_usage
0891047a c699ecf0 0.0% 0.0% 0.0% NIC status poll
08b5865b c699e708 0.0% 0.0% 0.0% SNMP Notify Thread
0852cfa6 c699e510 0.0% 0.0% 0.0% IP Thread
085345ae c699e318 0.0% 0.0% 0.0% ARP Thread
08452e20 c699e120 0.0% 0.0% 0.0% icmp_thread
08c51b46 c699df28 0.0% 0.0% 0.0% udp_thread
08c275cc c699dd30 0.0% 0.0% 0.0% tcp_thread
08c314e3 c699db38 0.0% 0.0% 0.0% npshim_thread
08c73c5d c699d940 0.0% 0.0% 0.0% rtcli async executor process
08b9f28b c699d748 0.0% 0.0% 0.0% EAPoUDP-sock
081e7585 c699d550 0.0% 0.0% 0.0% EAPoUDP
0821df53 c699d358 0.0% 0.0% 0.0% emweb/https
08213f96 c699d160 0.0% 0.0% 0.0% Timekeeper
08c73c5d c699cf68 0.0% 0.0% 0.0% Unicorn Proxy Thread
08b9f28b c699c980 0.0% 0.0% 0.0% IKE Receiver
08c32604 c699c788 0.0% 0.0% 0.0% listen/ssh
081c9031 c699c590 0.0% 0.0% 0.0% DHCPD Timer
081cac0e c699c398 0.0% 0.0% 0.0% dhcp_daemon
08e2446d c699bfa8 0.0% 0.0% 0.0% vpnfol_thread_msg
08e2adc2 c699bdb0 0.0% 0.0% 0.0% vpnfol_thread_timer
08e28fe2 c699bbb8 0.0% 0.0% 0.0% vpnfol_thread_sync
08e2a8cc c699b9c0 0.0% 0.0% 0.0% vpnfol_thread_unsent
08520388 c699b7c8 0.0% 0.0% 0.0% Integrity Fw Timer Thread
0869fb3c c699b5d0 0.0% 0.0% 0.0% netfs_vnode_reclaim
08be4fcb c698bfb8 0.0% 0.0% 0.0% ssh/timer
088e6ecc c698b7d8 6.6% 0.8% 0.2% ssh
Memory
Dynamic Shared Objects(DSO): 0 bytes
Least free memory: 357324128 bytes (67%)
Most used memory: 179546784 bytes (33%)
MEMPOOL_DMA POOL STATS:
Non-mmapped bytes allocated = 39583744
Number of free chunks = 58
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 39583744
Keepcost = 10318768
Max contiguous free mem = 10318768
Allocated memory in use = 29236568
Free memory = 10347176
----- fragmented memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
16 4 64
24 19 456
32 3 96
40 17 680
48 1 48**
48 3 144
72 1 72
112 1 112
144 1 144
168 2 336
200 1 200
384 1 488
768 1 856
1024 1 1096
16384 1 23376
10318768 1 10318768*
* - top most releasable chunk.
** - contiguous memory on top of heap.
----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
48 15 720
56 1428 79968
64 158 10112
72 27 1944
80 14 1120
88 3 264
112 26 2912
120 8 960
128 1 128
136 9 1224
144 7 1008
152 2 304
168 2 336
176 12 2112
184 3 552
200 3 600
232 1 232
240 3 720
248 1 248
256 5 1280
512 4 2048
1024 102 104448
2048 1 2048
4096 2 8192
8192 2 16384
12288 1 12288
16384 3 49152
24576 6 147456
32768 5 163840
65536 12 786432
98304 6 589824
131072 1 131072
196608 2 393216
262144 2 524288
393216 1 393216
786432 1 786432
1048576 1 1048576
1572864 1 1572864
2097152 3 6291456
12582912 1 12582912
MEMPOOL_GLOBAL_SHARED POOL STATS:
Non-mmapped bytes allocated = 381681664
Number of free chunks = 286
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 381681664
Keepcost = 319922768
Max contiguous free mem = 319922768
Allocated memory in use = 61033816
Free memory = 320647848
----- fragmented memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
16 55 880
24 55 1320
32 44 1408
40 38 1520
48 1 48**
48 8 384
56 7 392
64 9 576
72 1 72
80 3 240
88 2 176
96 1 96
112 2 224
128 1 128
160 4 640
192 2 384
232 3 696
240 1 240
248 5 1240
256 5 1464
512 1 624
1024 3 3840
1536 1 1640
2048 4 10912
4096 1 5312
6144 2 14704
8192 7 64552
12288 4 60064
16384 3 62104
24576 2 62896
65536 1 98256
98304 1 116736
196608 1 206168
319922768 1 319922768*
* - top most releasable chunk.
** - contiguous memory on top of heap.
----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
48 610 29280
56 521 29176
64 3948 252672
72 154 11088
80 784 62720
88 282 24816
96 59 5664
104 1960 203840
112 84 9408
120 191 22920
128 199 25472
136 24 3264
144 27 3888
152 618 93936
160 81 12960
168 134 22512
176 148 26048
184 390 71760
192 109 20928
200 105 21000
208 15 3120
216 39 8424
224 11 2464
232 17 3944
240 86 20640
248 54 13392
256 597 152832
384 275 105600
512 265 135680
768 26 19968
1024 252 258048
1536 14 21504
2048 358 733184
3072 38 116736
4096 42 172032
6144 8 49152
8192 90 737280
12288 18 221184
16384 53 868352
24576 15 368640
32768 30 983040
49152 6 294912
65536 175 11468800
98304 6 589824
131072 16 2097152
196608 9 1769472
262144 1 262144
393216 7 2752512
524288 4 2097152
786432 1 786432
1048576 1 1048576
1572864 1 1572864
2097152 2 4194304
4194304 1 4194304
8388608 2 16777216
Summary for all pools:
Non-mmapped bytes allocated = 421265408
Number of free chunks = 344
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 421265408
Keepcost = 330241536
Allocated memory in use = 90270384
Free memory = 330995024
sh xlate count
109 in use, 744 most used
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 1/s 0/s
TCP Conns 0/s 0/s
UDP Conns 1/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f0, MTU not set
IP address unassigned
8252641 packets input, 6803642940 bytes, 0 no buffer
Received 194 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
227854 switch ingress policy drops
5648872 packets output, 1559037116 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f1, MTU not set
IP address unassigned
6101814 packets input, 1756359147 bytes, 0 no buffer
Received 59156 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
7897567 packets output, 6464408673 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f2, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f3, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f4, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f5, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f6, MTU not set
IP address unassigned
17568 packets input, 3908746 bytes, 0 no buffer
Received 146 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
40879 packets output, 55998811 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f7, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b5e.12f8, MTU 1500
IP address 10.0.10.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
5859955 packets input, 1615916315 bytes
7941113 packets output, 6375584386 bytes
27665 packets dropped
1 minute input rate 87 pkts/sec, 13303 bytes/sec
1 minute output rate 144 pkts/sec, 174158 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 68 pkts/sec, 29975 bytes/sec
5 minute output rate 100 pkts/sec, 110847 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b5e.12f8, MTU 1500
IP address xx.xx.xx.xx, subnet mask 255.255.255.252
Traffic Statistics for "outside":
8026896 packets input, 6623939696 bytes
5650529 packets output, 1450806909 bytes
23595 packets dropped
1 minute input rate 150 pkts/sec, 182219 bytes/sec
1 minute output rate 87 pkts/sec, 13399 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 101 pkts/sec, 112266 bytes/sec
5 minute output rate 64 pkts/sec, 24909 bytes/sec
5 minute drop rate, 0 pkts/sec
0805520c c69ab7b8 0.0% 0.0% 0.0% block_diag
081a86c4 c69ab3c8 0.3% 0.3% 0.5% Dispatch Unit
08f095a3 c69aade0 0.0% 0.0% 0.0% y88acs06 OneSec Thread
08069f06 c69aa9f0 0.0% 0.0% 0.0% Reload Control Thread
08072196 c69aa7f8 0.0% 0.0% 0.0% aaa
08c73c5d c69aa600 0.0% 0.0% 0.0% UserFromCert Thread
080a6f36 c69aa210 0.0% 0.0% 0.0% CMGR Server Process
080a7445 c69aa018 0.0% 0.0% 0.0% CMGR Timer Process
081a7aec c69a9838 0.0% 0.0% 0.0% dbgtrace
08475565 c69a9058 0.0% 0.0% 0.0% eswilp_svi_init
08c73c5d c69a8098 0.0% 0.0% 0.0% netfs_thread_init
09311e85 c69a76c0 0.0% 0.0% 0.0% Chunk Manager
088e2cbe c69a74c8 0.0% 0.0% 0.0% PIX Garbage Collector
088d6084 c69a72d0 0.0% 0.0% 0.0% IP Address Assign
08ab0196 c69a70d8 0.0% 0.0% 0.0% QoS Support Module
0895273f c69a6ee0 0.0% 0.0% 0.0% Client Update Task
09361e8a c69a6ce8 0.0% 0.0% 0.0% Checkheaps
08ab46c5 c69a6700 0.0% 0.0% 0.0% Quack process
08b0c232 c69a6508 0.0% 0.0% 0.0% Session Manager
08c1f4b5 c69a6118 0.0% 0.0% 0.0% uauth
08bbdaf5 c69a5f20 0.0% 0.0% 0.0% Uauth_Proxy
08bf419e c69a5938 0.0% 0.0% 0.0% SSL
08c1d446 c69a5740 0.0% 0.0% 0.0% SMTP
08c15df6 c69a5548 0.0% 0.0% 0.0% Logger
08c166a8 c69a5350 0.0% 0.0% 0.0% Syslog Retry Thread
08c1066e c69a5158 0.0% 0.0% 0.0% Thread Logger
08e448a2 c69a4390 0.0% 0.0% 0.0% vpnlb_thread
08f0bb35 c69a3bb0 0.0% 0.0% 0.0% pci_nt_bridge
08279c1d c69a37c0 0.0% 0.0% 0.0% TLS Proxy Inspector
08b25ed3 c69a35c8 0.0% 0.0% 0.0% emweb/cifs_timer
0869fa57 c69a33d0 0.0% 0.0% 0.0% netfs_mount_handler
08535028 c69a31d8 0.0% 0.0% 0.0% arp_timer
0853cdac c69a2fe0 0.0% 0.0% 0.0% arp_forward_thread
085acbc5 c69a2de8 0.0% 0.0% 0.0% Lic TMR
08c22491 c69a2bf0 0.0% 0.0% 0.0% tcp_fast
08c255f0 c69a29f8 0.0% 0.0% 0.0% tcp_slow
08c50bc9 c69a2800 0.0% 0.0% 0.0% udp_timer
080fd9f8 c69a2608 0.0% 0.0% 0.0% CTCP Timer process
08df3493 c69a2410 0.0% 0.0% 0.0% L2TP data daemon
08df4263 c69a2218 0.0% 0.0% 0.0% L2TP mgmt daemon
08de05f8 c69a2020 0.0% 0.0% 0.0% ppp_timer_thread
08e44d77 c69a1e28 0.0% 0.0% 0.0% vpnlb_timer_thread
08114d7f c69a1c30 0.0% 0.0% 0.0% IPsec message handler
0812904c c69a1a38 0.0% 0.0% 0.0% CTM message handler
089b1589 c69a1840 0.0% 0.0% 0.0% NAT security-level reconfigurat ion
08ae0068 c69a1648 0.0% 0.0% 0.0% ICMP event handler
08dafa74 c69a1450 0.0% 0.0% 0.0% Dynamic Filter VC Housekeeper
08837353 c69a1258 0.0% 0.0% 0.0% IP Background
08190627 c69a1060 0.0% 0.0% 0.0% tmatch compile thread
089e0f75 c69a0e68 0.0% 0.0% 0.0% Crypto PKI RECV
089e44aa c69a0c70 0.0% 0.0% 0.0% Crypto CA
08a1b8e3 c69a0a78 0.0% 0.0% 0.0% CERT API
085da33d c69a0880 0.0% 0.0% 0.0% ESW_MRVL switch interrupt servi ce
08a5ef60 c69a0688 0.0% 0.0% 0.0% lina_int
085d2cec c69a0490 13.3% 9.3% 9.6% esw_stats
088f4e48 c69a0298 0.0% 0.0% 0.0% uauth_urlb clean
088dc0bf c69a00a0 0.0% 0.0% 0.0% pm_timer_thread
084c3609 c699fea8 0.0% 0.0% 0.0% IKE Timekeeper
084b6fa1 c699fcb0 0.0% 0.0% 0.0% IKE Daemon
08bd096a c699fab8 0.0% 0.0% 0.0% RADIUS Proxy Event Daemon
08b9f28b c699f8c0 0.0% 0.0% 0.0% RADIUS Proxy Listener
08bcf567 c699f6c8 0.0% 0.0% 0.0% RADIUS Proxy Time Keeper
08523ff5 c699f4d0 0.0% 0.0% 0.0% Integrity FW Task
081c065b c699f2d8 0.0% 0.0% 0.0% ci/console
0891511c c699f0e0 0.0% 0.0% 0.0% update_cpu_usage
0891047a c699ecf0 0.0% 0.0% 0.0% NIC status poll
08b5865b c699e708 0.0% 0.0% 0.0% SNMP Notify Thread
0852cfa6 c699e510 0.0% 0.0% 0.0% IP Thread
085345ae c699e318 0.0% 0.0% 0.0% ARP Thread
08452e20 c699e120 0.0% 0.0% 0.0% icmp_thread
08c51b46 c699df28 0.0% 0.0% 0.0% udp_thread
08c275cc c699dd30 0.0% 0.0% 0.0% tcp_thread
08c314e3 c699db38 0.0% 0.0% 0.0% npshim_thread
08c73c5d c699d940 0.0% 0.0% 0.0% rtcli async executor process
08b9f28b c699d748 0.0% 0.0% 0.0% EAPoUDP-sock
081e7585 c699d550 0.0% 0.0% 0.0% EAPoUDP
0821df53 c699d358 0.0% 0.0% 0.0% emweb/https
08213f96 c699d160 0.0% 0.0% 0.0% Timekeeper
08c73c5d c699cf68 0.0% 0.0% 0.0% Unicorn Proxy Thread
08b9f28b c699c980 0.0% 0.0% 0.0% IKE Receiver
08c32604 c699c788 0.0% 0.0% 0.0% listen/ssh
081c9031 c699c590 0.0% 0.0% 0.0% DHCPD Timer
081cac0e c699c398 0.0% 0.0% 0.0% dhcp_daemon
08e2446d c699bfa8 0.0% 0.0% 0.0% vpnfol_thread_msg
08e2adc2 c699bdb0 0.0% 0.0% 0.0% vpnfol_thread_timer
08e28fe2 c699bbb8 0.0% 0.0% 0.0% vpnfol_thread_sync
08e2a8cc c699b9c0 0.0% 0.0% 0.0% vpnfol_thread_unsent
08520388 c699b7c8 0.0% 0.0% 0.0% Integrity Fw Timer Thread
0869fb3c c699b5d0 0.0% 0.0% 0.0% netfs_vnode_reclaim
08be4fcb c698bfb8 0.0% 0.0% 0.0% ssh/timer
088e6ecc c698b7d8 6.6% 0.8% 0.2% ssh
Memory
Dynamic Shared Objects(DSO): 0 bytes
Least free memory: 357324128 bytes (67%)
Most used memory: 179546784 bytes (33%)
MEMPOOL_DMA POOL STATS:
Non-mmapped bytes allocated = 39583744
Number of free chunks = 58
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 39583744
Keepcost = 10318768
Max contiguous free mem = 10318768
Allocated memory in use = 29236568
Free memory = 10347176
----- fragmented memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
16 4 64
24 19 456
32 3 96
40 17 680
48 1 48**
48 3 144
72 1 72
112 1 112
144 1 144
168 2 336
200 1 200
384 1 488
768 1 856
1024 1 1096
16384 1 23376
10318768 1 10318768*
* - top most releasable chunk.
** - contiguous memory on top of heap.
----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
48 15 720
56 1428 79968
64 158 10112
72 27 1944
80 14 1120
88 3 264
112 26 2912
120 8 960
128 1 128
136 9 1224
144 7 1008
152 2 304
168 2 336
176 12 2112
184 3 552
200 3 600
232 1 232
240 3 720
248 1 248
256 5 1280
512 4 2048
1024 102 104448
2048 1 2048
4096 2 8192
8192 2 16384
12288 1 12288
16384 3 49152
24576 6 147456
32768 5 163840
65536 12 786432
98304 6 589824
131072 1 131072
196608 2 393216
262144 2 524288
393216 1 393216
786432 1 786432
1048576 1 1048576
1572864 1 1572864
2097152 3 6291456
12582912 1 12582912
MEMPOOL_GLOBAL_SHARED POOL STATS:
Non-mmapped bytes allocated = 381681664
Number of free chunks = 286
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 381681664
Keepcost = 319922768
Max contiguous free mem = 319922768
Allocated memory in use = 61033816
Free memory = 320647848
----- fragmented memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
16 55 880
24 55 1320
32 44 1408
40 38 1520
48 1 48**
48 8 384
56 7 392
64 9 576
72 1 72
80 3 240
88 2 176
96 1 96
112 2 224
128 1 128
160 4 640
192 2 384
232 3 696
240 1 240
248 5 1240
256 5 1464
512 1 624
1024 3 3840
1536 1 1640
2048 4 10912
4096 1 5312
6144 2 14704
8192 7 64552
12288 4 60064
16384 3 62104
24576 2 62896
65536 1 98256
98304 1 116736
196608 1 206168
319922768 1 319922768*
* - top most releasable chunk.
** - contiguous memory on top of heap.
----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
48 610 29280
56 521 29176
64 3948 252672
72 154 11088
80 784 62720
88 282 24816
96 59 5664
104 1960 203840
112 84 9408
120 191 22920
128 199 25472
136 24 3264
144 27 3888
152 618 93936
160 81 12960
168 134 22512
176 148 26048
184 390 71760
192 109 20928
200 105 21000
208 15 3120
216 39 8424
224 11 2464
232 17 3944
240 86 20640
248 54 13392
256 597 152832
384 275 105600
512 265 135680
768 26 19968
1024 252 258048
1536 14 21504
2048 358 733184
3072 38 116736
4096 42 172032
6144 8 49152
8192 90 737280
12288 18 221184
16384 53 868352
24576 15 368640
32768 30 983040
49152 6 294912
65536 175 11468800
98304 6 589824
131072 16 2097152
196608 9 1769472
262144 1 262144
393216 7 2752512
524288 4 2097152
786432 1 786432
1048576 1 1048576
1572864 1 1572864
2097152 2 4194304
4194304 1 4194304
8388608 2 16777216
Summary for all pools:
Non-mmapped bytes allocated = 421265408
Number of free chunks = 344
Number of mmapped regions = 0
Mmapped bytes allocated = 0
Max memory footprint = 421265408
Keepcost = 330241536
Allocated memory in use = 90270384
Free memory = 330995024
sh xlate count
109 in use, 744 most used
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 1/s 0/s
TCP Conns 0/s 0/s
UDP Conns 1/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 100.00%
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f0, MTU not set
IP address unassigned
8252641 packets input, 6803642940 bytes, 0 no buffer
Received 194 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
227854 switch ingress policy drops
5648872 packets output, 1559037116 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f1, MTU not set
IP address unassigned
6101814 packets input, 1756359147 bytes, 0 no buffer
Received 59156 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
7897567 packets output, 6464408673 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f2, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f3, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f4, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f5, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f6, MTU not set
IP address unassigned
17568 packets input, 3908746 bytes, 0 no buffer
Received 146 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
40879 packets output, 55998811 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 70ca.9b5e.12f7, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b5e.12f8, MTU 1500
IP address 10.0.10.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
5859955 packets input, 1615916315 bytes
7941113 packets output, 6375584386 bytes
27665 packets dropped
1 minute input rate 87 pkts/sec, 13303 bytes/sec
1 minute output rate 144 pkts/sec, 174158 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 68 pkts/sec, 29975 bytes/sec
5 minute output rate 100 pkts/sec, 110847 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 70ca.9b5e.12f8, MTU 1500
IP address xx.xx.xx.xx, subnet mask 255.255.255.252
Traffic Statistics for "outside":
8026896 packets input, 6623939696 bytes
5650529 packets output, 1450806909 bytes
23595 packets dropped
1 minute input rate 150 pkts/sec, 182219 bytes/sec
1 minute output rate 87 pkts/sec, 13399 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 101 pkts/sec, 112266 bytes/sec
5 minute output rate 64 pkts/sec, 24909 bytes/sec
5 minute drop rate, 0 pkts/sec
Can you please post sanitized config?
Hi there,
Were there any changes done on the setup offlately??
Were there any changes done on the setup offlately??
ASKER
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxx
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx
access-list outsideINGRESS extended permit ip host xxxxxx any
access-list outsideINGRESS extended permit icmp any any echo-reply
access-list cryptoMap_xxxxx extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list cryptoMap_xxxxx extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.4.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.3.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.25 5.0
access-list cryptoMap_toAdmin extended permit ip 10.0.10.0 255.255.255.0 10.0.4. 0 255.255.255.0
access-list cryptoMap_toAdmin extended permit ip 10.0.10.0 255.255.255.0 10.0.3. 0 255.255.255.0
access-list policed-traffic extended deny ip 10.0.2.0 255.255.255.0 10.0.10.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.4.0 255.255.255.0 10.0.10.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.10.0 255.255.255.0 10.0.2.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.10.0 255.255.255.0 10.0.4.0 25 5.255.255.0
access-list policed-traffic extended permit ip any any
access-list priority-traffic extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.10.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.4.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host xxxxxx outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list noNat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outsideINGRESS in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http xxxxxxx outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address cryptoMap_xxxxx
crypto map outside_map 1 set peer xxxxx
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address cryptoMap_toAdmin
crypto map outside_map 2 set peer xxxxx
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 30
ssh 10.0.10.0 255.255.255.0 inside
ssh xxxxxxx 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 30
dhcpd dns 10.0.1.7
dhcpd domain xxxxxx
dhcpd option 3 ip 10.0.10.1
dhcpd option 242 ascii MCIPADD=10.0.2.66,HTTPSRVR
!
dhcpd address 10.0.10.100-10.0.10.150 inside
dhcpd enable inside
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
username xxxx password xxxxx encrypted privilege 15
tunnel-group xxxxxx type ipsec-l2l
tunnel-group xxxxxx ipsec-attributes
pre-shared-key xxxxx
tunnel-group xxxxxx type ipsec-l2l
tunnel-group xxxxxx ipsec-attributes
pre-shared-key xxxx
!
class-map priority-traffic
match access-list priority-traffic
class-map policed-traffic
match access-list policed-traffic
!
!
policy-map policed-traffic
class policed-traffic
police output 1000000
police input 10000000
class priority-traffic
priority
!
service-policy policed-traffic interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxx
: end
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxx
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx
access-list outsideINGRESS extended permit ip host xxxxxx any
access-list outsideINGRESS extended permit icmp any any echo-reply
access-list cryptoMap_xxxxx extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list cryptoMap_xxxxx extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.4.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.3.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.25 5.0
access-list noNat extended permit ip 10.0.10.0 255.255.255.0 10.0.1.0 255.255.25 5.0
access-list cryptoMap_toAdmin extended permit ip 10.0.10.0 255.255.255.0 10.0.4. 0 255.255.255.0
access-list cryptoMap_toAdmin extended permit ip 10.0.10.0 255.255.255.0 10.0.3. 0 255.255.255.0
access-list policed-traffic extended deny ip 10.0.2.0 255.255.255.0 10.0.10.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.4.0 255.255.255.0 10.0.10.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.10.0 255.255.255.0 10.0.2.0 25 5.255.255.0
access-list policed-traffic extended deny ip 10.0.10.0 255.255.255.0 10.0.4.0 25 5.255.255.0
access-list policed-traffic extended permit ip any any
access-list priority-traffic extended permit ip 10.0.10.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.10.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list priority-traffic extended permit ip 10.0.4.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host xxxxxx outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list noNat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outsideINGRESS in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http xxxxxxx outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address cryptoMap_xxxxx
crypto map outside_map 1 set peer xxxxx
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address cryptoMap_toAdmin
crypto map outside_map 2 set peer xxxxx
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 30
ssh 10.0.10.0 255.255.255.0 inside
ssh xxxxxxx 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 30
dhcpd dns 10.0.1.7
dhcpd domain xxxxxx
dhcpd option 3 ip 10.0.10.1
dhcpd option 242 ascii MCIPADD=10.0.2.66,HTTPSRVR
!
dhcpd address 10.0.10.100-10.0.10.150 inside
dhcpd enable inside
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
username xxxx password xxxxx encrypted privilege 15
tunnel-group xxxxxx type ipsec-l2l
tunnel-group xxxxxx ipsec-attributes
pre-shared-key xxxxx
tunnel-group xxxxxx type ipsec-l2l
tunnel-group xxxxxx ipsec-attributes
pre-shared-key xxxx
!
class-map priority-traffic
match access-list priority-traffic
class-map policed-traffic
match access-list policed-traffic
!
!
policy-map policed-traffic
class policed-traffic
police output 1000000
police input 10000000
class priority-traffic
priority
!
service-policy policed-traffic interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxx
: end
ASKER
No recent changes
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi There,
The performance parameters looks normal as per the provided outputs.
80Mbps down (download) / 20Mbps (upload) is the Internet connection that you have purchased but the actual policing defined on your box is the reason that your Internet connection goes slow as exactly pointed by SIM50 (Dont wanna take credits on this).
@SIM50:
For my learning.
Could you help me in understanding the below numbers that you have suggested since I believe you have given a buffer of 3 Mbps that is kept away from the policing in both OUT/IN direction?Is that the best practices?
conf t
policy-map policed-traffic
class policed-traffic
police output 17000000
police input 77000000
end
wr
The performance parameters looks normal as per the provided outputs.
80Mbps down (download) / 20Mbps (upload) is the Internet connection that you have purchased but the actual policing defined on your box is the reason that your Internet connection goes slow as exactly pointed by SIM50 (Dont wanna take credits on this).
@SIM50:
For my learning.
Could you help me in understanding the below numbers that you have suggested since I believe you have given a buffer of 3 Mbps that is kept away from the policing in both OUT/IN direction?Is that the best practices?
conf t
policy-map policed-traffic
class policed-traffic
police output 17000000
police input 77000000
end
wr
I made a few assumptions based on the provided information.
It's a relatively small office location which uses something like Verizon business for ISP. Most likely it recently upgraded its internet line but didn't adjust QoS policy. I think previously they could had something like 10Mbps upload/2Mbps download.
With Verizon business or similar, you don't usually get to full circuit capacity - you will be 0.5-1Mbps off. It's not like a circuit going to a data center or a colo.
Small office will have around 20-30 phones. There is a high probability that at any given time, there will be no more than 6-10 simultaneous calls at the same time. If you want to get a precise number, there is a formula how to calculate required SIP trunks for a number of phones. I just guestimated.
Depending on the codec they use, different bandwidth will be required due to the built in compression and quality of the call. Let's be conservative and say each call requires 64Kbps. 10 calls = 640Kbps.
I left 1.5Mbps to compensate for my margin of error since I am just guessing and I am a security not VoiP architect.
It's a relatively small office location which uses something like Verizon business for ISP. Most likely it recently upgraded its internet line but didn't adjust QoS policy. I think previously they could had something like 10Mbps upload/2Mbps download.
With Verizon business or similar, you don't usually get to full circuit capacity - you will be 0.5-1Mbps off. It's not like a circuit going to a data center or a colo.
Small office will have around 20-30 phones. There is a high probability that at any given time, there will be no more than 6-10 simultaneous calls at the same time. If you want to get a precise number, there is a formula how to calculate required SIP trunks for a number of phones. I just guestimated.
Depending on the codec they use, different bandwidth will be required due to the built in compression and quality of the call. Let's be conservative and say each call requires 64Kbps. 10 calls = 640Kbps.
I left 1.5Mbps to compensate for my margin of error since I am just guessing and I am a security not VoiP architect.
ASKER
Excellent, thanks a ton. That fixed us right up.
Can you please post the output of the following
sh proc cpu-usage | ex 0.00
sh memory detail
sh xlate count
sh perfmon
sh int