Announcement

Collapse
No announcement yet.

ASA 5505 slow download speed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 slow download speed

    I have one facility with a 100mb fiber circuit connected to an ASA 5505. When a client is connected through the ASA, download speeds are averaging 16mb down and 70+mb up. When connected directly to the router, we get 80mb down.

    Here is the sanitized config:



    : Saved
    : Written by mlsysadmin at 05:43:12.139 CST Fri Mar 6 2015
    !
    ASA Version 8.2(5)
    !
    hostname fw01
    domain-name domain.com
    enable password xxxxxxxx encrypted
    passwd xxxxxxxx encrypted
    names
    name x.x.x.x WindStream-External-3100
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.5.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address WindStream-External-3100 255.255.255.248
    !
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name materialogic.com
    same-security-traffic permit intra-interface
    object-group network obj-SrcNet
    object-group network obj-amzn
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any
    access-list inside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
    access-list outside_access_in extended permit ip x.x.x.x 255.255.255.248 172.16.5.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list outside_access_in extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
    access-list outside_access_in extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
    access-list outside_access_in extended permit tcp interface outside 172.16.5.0 255.255.255.0
    access-list acl-amzn extended permit ip any 10.10.0.0 255.255.0.0
    access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
    access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
    access-list acl-amzn extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list acl-amzn extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list acl-amzn extended permit ip 172.16.2.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list acl-amzn extended permit ip 172.16.5.0 255.255.255.0 172.16.2.0 255.255.255.0
    access-list amzn-filter extended permit ip 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
    access-list amzn-filter extended permit icmp 10.10.0.0 255.255.0.0 172.16.5.0 255.255.255.0
    access-list amzn-filter extended permit ip any any
    access-list <outside_access_in> extended permit ip host 54.240.217.164 host WindStream-External-3100
    access-list <outside_access_in> extended permit ip host 72.21.209.193 host WindStream-External-3100
    access-list inside_mpc extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list NORAND extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list outside_cryptomap extended permit ip any 10.10.0.0 255.255.0.0
    access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.4.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 172.16.4.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 172.16.5.0 255.255.255.0 172.16.3.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit tcp 172.17.5.0 255.255.255.0 172.16.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit tcp 172.16.5.0 255.255.255.0 172.17.5.0 255.255.255.0
    pager lines 24
    logging enable
    logging timestamp
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list acl-amzn
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 40.139.91.233 1
    route inside 172.16.2.0 255.255.255.0 172.16.5.1 1
    route inside 172.16.3.0 255.255.255.0 172.16.5.1 1
    route inside 172.16.4.0 255.255.255.0 172.16.5.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http server idle-timeout 1440
    http 192.168.1.0 255.255.255.0 inside
    http 172.16.0.0 255.255.0.0 inside
    http 216.43.24.82 255.255.255.255 outside
    http 64.199.141.26 255.255.255.255 outside
    snmp-server host inside 10.10.10.20 community mlogic
    snmp-server location 3100 Communications room
    no snmp-server contact
    snmp-server community mlogic
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt connection timewait
    sysopt connection tcpmss 1387
    sla monitor 1
    type echo protocol ipIcmpEcho 10.10.0.1 interface outside
    frequency 5
    sla monitor schedule 1 life forever start-time now
    crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ipsec security-association replay window-size 128
    crypto ipsec df-bit clear-df outside
    crypto map amzn_vpn_map 1 match address acl-amzn
    crypto map amzn_vpn_map 1 set pfs
    crypto map amzn_vpn_map 1 set peer 54.240.217.164 72.21.209.193
    crypto map <amzn_vpn_map> 1 match address acl-amzn
    crypto map <amzn_vpn_map> 1 set pfs
    crypto map <amzn_vpn_map> 1 set peer 54.240.217.164 72.21.209.193
    crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
    crypto map <amzn_vpn_map> interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 201
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 28800
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 inside
    ssh x.x.x.x 255.255.255.255 outside
    ssh x.x.x.x 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 216.171.120.36 source outside
    webvpn
    group-policy filter internal
    group-policy filter attributes
    vpn-filter value amzn-filter
    username mlsysadmin password E9OpTNVP3nVbSPSb encrypted privilege 15
    username mlsysadmin attributes
    vpn-group-policy DfltGrpPolicy
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    ipv6-vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec svc
    password-storage disable
    group-lock none
    tunnel-group 54.240.217.164 type ipsec-l2l
    tunnel-group 54.240.217.164 general-attributes
    default-group-policy filter
    tunnel-group 54.240.217.164 ipsec-attributes
    pre-shared-key IySxccNmUch6G3dVSgEwBjjGX7bOAcO3
    isakmp keepalive threshold 10 retry 3
    tunnel-group 72.21.209.193 type ipsec-l2l
    tunnel-group 72.21.209.193 general-attributes
    default-group-policy filter
    tunnel-group 72.21.209.193 ipsec-attributes
    pre-shared-key vy.pOkCV01pEtmxe.QNk96xK6Uo_2tD.
    isakmp keepalive threshold 10 retry 3
    !
    class-map NORAND
    match access-list inside_mpc
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    policy-map NORAND
    class NORAND
    set connection random-sequence-number disable
    set connection advanced-options tcp-state-bypass
    policy-map TRAFFIC_SHAPING
    class class-default
    shape average 100000000
    !
    service-policy global_policy global
    service-policy NORAND interface inside
    service-policy TRAFFIC_SHAPING interface outside
    smtp-server 206.225.164.242
    prompt hostname context
    no call-home reporting anonymous
    : end

  • #2
    Re: ASA 5505 slow download speed

    I'll also add that we have identical setups at other facilities that get expected speeds through an identical ASA with the same firmware and config.

    Comment

    Working...
    X