ASA getting half upload speed to isp

phoeneous

Just got a new 10M circuit installed a few days ago and noticed that when doing bandwidth tests I am getting 9.85 down but only 4.5 up. I plugged directly into the isp's adtran with my laptop and I can hit 10/10 consistently. Not sure what's causing the ASA to get half upload speed. I set the interface speed and duplex to 100/full but that didn't help so I set it back to auto/auto. Thoughts? See config below. We aren't doing any QoS on it.

5510# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname 5510
domain-name company.com
dns-guard
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address X.X.X.106 255.255.255.248
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address X.X.80.250 255.255.255.0
!
interface Ethernet0/2
 nameif test
 security-level 100
 ip address X.X.81.250 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host X.X.X. eq 8284
access-list outside_access_in extended permit tcp any host X.X.X..108 eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any host X.X.X.106 eq 3390
access-list outside_access_in extended permit tcp any host X.X.X.106 eq 3391
access-list outside_access_in extended permit tcp any host X.X.X.106 eq 500
access-list outside_access_in extended permit tcp any host X.X.X.106 eq 3392
access-list outside_access_in extended permit tcp any host X.X.X.106 eq https
access-list outside_access_in extended permit tcp any host X.X.X.106 eq smtp
access-list outside_access_in extended permit tcp any host X.X.X.106 eq www
access-list inside_nat0_outbound extended permit ip X.X.80.0 255.255.255.0 X.X.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip X.X.80.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip X.X.80.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any X.X.0.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip any X.X.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any X.X.50.48 255.255.255.240
access-list mysplit_tunnel standard permit X.X.80.0 255.255.255.0
access-list mysplit_tunnel standard permit 10.100.0.0 255.255.0.0
access-list mysplit_tunnel standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor warnings
logging buffered errors
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu test 1500
ip local pool myVPNpool X.X.50.50-X.X.50.60 mask 255.255.255.0
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 mailserver 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https mailserver https netmask 255.255.255.255
static (inside,outside) tcp interface www mailserver www netmask 255.255.255.255
static (inside,outside) tcp X.X.X.108 3389 tserver 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.105 1
route inside X.X.70.0 255.255.255.0 X.X.80.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy myVPN internal
group-policy myVPN attributes
 wins-server value X.X.80.1
 dns-server value X.X.80.1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mysplit_split_tunnel
 default-domain value company.com
 webvpn
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 43200
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group myvpn type ipsec-ra
tunnel-group myvpn general-attributes
 address-pool myvpnpool
 default-group-policy myvpn
tunnel-group myvpn ipsec-attributes
 pre-shared-key *
telnet X.X.80.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh X.X.80.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
policy-map global_policy
!
ntp server X.X.80.1 source inside prefer
smtp-server X.X.80.3
Cryptochecksum:94f4ee83a554ff941878b07a70e5d04a
: end
5510#

cisco_trooper

This is unrelated to your question, but do you realize you have allowed EVERYONE to establish a connection to this firewall on port 22 and port 80, from OUTSIDE?

phoeneous

cisco_trooper wrote: »

This is unrelated to your question, but do you realize you have allowed EVERYONE to establish a connection to this firewall on port 22 and port 80, from OUTSIDE?

Where do you see that?

cisco_trooper

http 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside

phoeneous

Right... thanks. I didn't configure it, but didn't realize it either.

SteveO86

Any interface errors under the sh int output (collisions/CRC/Input Errors/etc)?

phoeneous

SteveO86 wrote: »

Any interface errors under the sh int output (collisions/CRC/Input Errors/etc)?

I only see one CRC on the inside interface which is connected to our 2801.

5510# sh int
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 0019.2f83.4aa2, MTU 1500
        IP address X.X.X.106, subnet mask 255.255.255.248
        273065955 packets input, 252013860604 bytes, 0 no buffer
        Received 714505 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        203360592 packets output, 55754240618 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max blocks): hardware (0/0) software (0/0)
        output queue (curr/max blocks): hardware (0/36) software (0/0)
  Traffic Statistics for "outside":
        273065907 packets input, 246917766963 bytes
        203360592 packets output, 51438995451 bytes
        1668504 packets dropped
      1 minute input rate 38 pkts/sec,  31557 bytes/sec
      1 minute output rate 29 pkts/sec,  6942 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 41 pkts/sec,  31416 bytes/sec
      5 minute output rate 33 pkts/sec,  7445 bytes/sec
      5 minute drop rate, 0 pkts/sec
 
Interface Ethernet0/1 "inside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        MAC address 0019.2f83.4aa3, MTU 1500
        IP address X.X.80.250, subnet mask 255.255.255.0
        227183609 packets input, 59018029083 bytes, 0 no buffer
        Received 24789931 broadcasts, 0 runts, 0 giants
        0 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
        0 L2 decode drops
        270276237 packets output, 250686929112 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max blocks): hardware (0/0) software (0/0)
        output queue (curr/max blocks): hardware (0/45) software (0/0)
  Traffic Statistics for "inside":
        227183420 packets input, 54256910459 bytes
        270276237 packets output, 245637937871 bytes
        18393031 packets dropped
      1 minute input rate 31 pkts/sec,  7033 bytes/sec
      1 minute output rate 37 pkts/sec,  31466 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 35 pkts/sec,  7567 bytes/sec
      5 minute output rate 41 pkts/sec,  31338 bytes/sec
      5 minute drop rate, 0 pkts/sec

phoeneous

During these tests I was connected like this: ISP > ASA > 2801 > 2950 > Me. I decided to try this: ISP > ASA > Me. When connected like that I get 10 down and 10 up. Looks like the problem isnt the ASA after all...

Later I'm going to try ISP > ASA > 2801 > Me to see if I can isolate the problem. At this point it is either the 2801 or the 2950.

SteveO86

The joy of troubleshooting.. Putting spotlight on 1 device then finding out it's another device elsewhere in the building

phoeneous

Yeah, tell me about it... I just hope it doesnt end up being a chatty workstation infected with the half_upload_virus or something

SteveO86

Netflow / Top talkers should be able to help you rule that out. It should classify most traffic form your users and top talkers will show you the most chatty clients.

cisco_trooper

You need to look at each interface between your LAN and the outside interface of your edge device. Look for collisions, CRCs, drops, etc. Make sure each link is running at the speed and duplex you expect.

phoeneous

cisco_trooper wrote: »

You need to look at each interface between your LAN and the outside interface of your edge device. Look for collisions, CRCs, drops, etc. Make sure each link is running at the speed and duplex you expect.

I already did and everything looks fine.

I actually made an interesting discovery last night. I plugged in my non-domain joined XP laptop into each of our switches and did the speed test. My results? 10 down and 10 up consistently! I then plugged in a non-domain joined Debian laptop and got the same results, 10 and 10. Finally I ran the test from a non-domain joined Mac and of course it got 10 and 10. It looks like this issue is only affecting hosts that are joined to the domain....: I tested it on 4 domain servers and 15 domain workstations, each of them got 10 down and 5 up.

We used to have a web filter proxy but anymore. I pointed the hosts to it via group policy but have long removed that policy and the hosts go directly to internet. I searched the registry but couldnt find anything that stood out. Thoughts?

SteveO86

Are domain members and non-domain members using the same DNS servers?

Certainly is an interesting issue...

phoeneous

SteveO86 wrote: »

Are domain members and non-domain members using the same DNS servers?

Certainly is an interesting issue...

Yup, that was the first thing I looked at. With the three non-domain devices I first pointed dns to publics that our isp provides. Ran the test and got 10/10. Then I pointed it to internal dns and got the same results. Confirmed with nslookup that it was hitting the right dns box.

I've actually narrowed it down to our AV....
When I unload the Trend Micro client I get 10/10 on any domain workstation. When I load the client, 10/5.

SteveO86

Gotta love coincidence..

One of my small branch routers (2811) with only a dozen or so client users spiked over 60% cpu usage (for some time).. Turns out the client was downloading antivirus updates at a constant 80 MB's of throughput... Cut the client off and everything goes back to normal.

tiersten

SteveO86 wrote: »

One of my small branch routers (2811) with only a dozen or so client users spiked over 60% cpu usage (for some time).. Turns out the client was downloading antivirus updates at a constant 80 MB's of throughput... Cut the client off and everything goes back to normal.

If its more than a handful of machines then I insist that they put a server for centralised patch and update management at that location. I've tried it without and the connections just die when Windows patch Tuesday rolls around and each machine is trying to download 100MB worth of update at the same time.

phoeneous

tiersten wrote: »

If its more than a handful of machines then I insist that they put a server for centralised patch and update management at that location. I've tried it without and the connections just die when Windows patch Tuesday rolls around and each machine is trying to download 100MB worth of update at the same time.

Agreed. I have a wsus box at each of our sites to handle that traffic.

phoeneous

So now the Trend Micro "engineers" are telling me that this operation is "normal". 50% loss of bandwidth is normal?! wtf?!

down77

SteveO86 wrote: »

Netflow / Top talkers should be able to help you rule that out. It should classify most traffic form your users and top talkers will show you the most chatty clients.

+1. One of my biggest recommendations to clients is to understand your environment and most importantly, the information flowing through the network... not just the aggregate bandwidth.