Cisco ASA 5510 killing our internet speeds, tracert not "working."

tdean

Oh, the fun never stops for the never ending upgrade. It seems our internet connection is terribly slow now. I’ve gone from 48/22 8ms to 14/2 with a 57ms ping to the internet. No idea where to begin with this one....The only thing i can think of is we added a VPN... its not being used though. However, our other sie is also terribly slow after ASA install and they do not have any VPN's. Also, tracert doesnt seem to be working for me either. heres what i get back:


C:\Documents and Settings\tdean>tracert 4.2.2.2
Tracing route to vnsc-bak.sys.gtei.net [4.2.2.2]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 172.22.1.240
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 73 ms 68 ms 69 ms vnsc-bak.sys.gtei.net [4.2.2.2]
Trace complete.


heres the ASA interface info. Doesnt look like there are any errors....


Result of the command: "show int"
Interface Ethernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: Comcast Internet
MAC address f866.f2b1.49e6, MTU 1500
IP address 75.xxx.xxx.73, subnet mask 255.255.255.248
137118905 packets input, 24434570591 bytes, 0 no buffer
Received 3734 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
233919164 packets output, 314114341043 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
1 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/193)
Traffic Statistics for "outside":
137118904 packets input, 21249632991 bytes
233919164 packets output, 309856239218 bytes
190266 packets dropped
1 minute input rate 260 pkts/sec, 11005 bytes/sec
1 minute output rate 500 pkts/sec, 672901 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 275 pkts/sec, 13728 bytes/sec
5 minute output rate 508 pkts/sec, 673223 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/1 "tcxxxxxx", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: TCxxxxx Lan
MAC address xxxxxxxxx, MTU 1500
IP address 172.22.1.234, subnet mask 255.255.255.0
233898505 packets input, 313843754259 bytes, 0 no buffer
Received 1385031 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
137940641 packets output, 24261875824 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
3 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/200)
Traffic Statistics for "tcxxxxxx":
233898071 packets input, 309586054746 bytes
137940641 packets output, 21061631825 bytes
956037 packets dropped
1 minute input rate 499 pkts/sec, 673225 bytes/sec
1 minute output rate 322 pkts/sec, 17605 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 492 pkts/sec, 672546 bytes/sec
5 minute output rate 305 pkts/sec, 16029 bytes/sec
5 minute drop rate, 1 pkts/sec
Interface Ethernet0/2 "dmz", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
MAC address xxxxxxxxxx, MTU 1500
IP address 192.168.10.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Traffic Statistics for "dmz":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/3 "unused", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
MAC address xxxxxxxxx, MTU 1500
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Traffic Statistics for "unused":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Management0/0 "management", is down, line protocol is down
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
MAC address xxxxxxx, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets


Any ideas???

cisco_trooper

Check for speed / duplex mismatch on the equipment connected to your inside and outside interfaces.

tdean

Hi trooper, i did that and we're getting 0 errors on the gateway router or the lan switch.

TesseracT

any MTU changes at all? I've seen similar symptoms to yours from misconfigured MTU

Zartanasaurus

You have an IPS module installed?

MAC_Addy

Do you have access lists setup? If so, are they blocking ICMP?

I might help if you listed the show running-config as well.

tdean

Hi guys... let me do my best to answer. Im not the one that set these up and i contacted the guy that did but he claims to be too busy to help now...

How would i diagnose MTU mis-configurations?

No IPS modules i am aware of.

ICMP could be blocked, but that wouldnt affect all the tracert hops, would it?

As far as i know, all the defaults are still running... We had an issue with our POP3 email at first and i disabled eSMTP inspection and things were fine after that.

I will post the running config in the next post.

tdean

Result of the command: "show run"
: Saved
:
ASA Version 8.2(4)1
!
hostname asa5510
domain-name tcxxx.com
enable password AtZdPYziKTyHRqbO encrypted
passwd AtZdPYziKTyHRqbO encrypted
no names
name 172.22.1.0 Hyannis_LAN
name 10.10.10.0 Link_to_WG
name 172.22.0.0 TCxxx_Internal_Nets
!
interface Ethernet0/0
description Comcast Internet
nameif outside
security-level 0
ip address 75.xxx.xxx.73 255.255.255.248
!
interface Ethernet0/1
description TCxxx Lan
speed 100
duplex full
nameif tcxxx
security-level 50
ip address 172.22.1.234 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 10
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif unused
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa824-1-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 172.22.1.7
name-server 172.22.1.92
domain-name xxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply
access-list lan_nat0_outbound remark No NAT to MDxxxxx via VPN
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 host 192.168.100.16
access-list lan_nat0_outbound remark No NAT for VPN Clients
access-list lan_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 192.168.200.0 255.255.255.0
access-list lan_nat0_outbound remark No NAT to Sandwich via VPN
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list lan_nat0_outbound remark No NAT to Ixxx Hosting
access-list lan_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.22.0.0 255.255.0.0 host 192.168.100.16
access-list lan_access_out extended permit ip any any
access-list mdaxxxxx_vpn_filter extended permit ip host 192.168.100.16 host 172.22.1.80
access-list VPNClient_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list VPNClient_splitTunnelAcl standard permit 10.50.70.0 255.255.255.252
access-list VPNClient_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list VPNClient_splitTunnelAcl standard permit host 172.22.1.80
access-list outside_cryptomap extended permit ip 172.22.1.0 255.255.255.0 172.22.4.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 172.22.1.0 255.255.255.0 172.18.1.0 255.255.255.0
pager lines 500
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu tcsma 1500
mtu dmz 1500
mtu unused 1500
mtu management 1500
ip local pool RemotePool 192.168.200.1-192.168.200.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any tcxxx
icmp permit any dmz
icmp permit any management
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (tcsma) 0 access-list lan_nat0_outbound
nat (tcsma) 1 172.22.1.0 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group lan_access_out in interface tcsma
route outside 0.0.0.0 0.0.0.0 75.xxx.xxx.78 1
route tcsma 172.22.2.0 255.255.255.0 172.22.1.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8081
http 192.168.10.0 255.255.255.0 dmz
http 0.0.0.0 0.0.0.0 tcxxx
http 71.xxx.xx.232 255.255.255.255 outside
http 173.x.xx.213 255.255.255.255 outside
http 173.xx.xxx.125 255.255.255.255 outside
http redirect outside 80
snmp-server host outside 71.xxx.xx.232 poll community *****
snmp-server location Telco Room
snmp-server contact TDean at XXXXXXXsts
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 64.xxx.xxx.180
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 173.xx.xxx.125
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer 207.xxx.xx.31
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.tcxxx.com
subject-name CN=vpn.tcxxx.com,OU=IT,O=The xxxxxxx xxxxxxxx,C=US,St=MA,L=Hyannis
keypair vpnsslcert.key
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 07f75c9a1b2d75
30820559 30820441 a0030201 02020707 f75c9a1b 2d75300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
dd ad976c33 REMOVED
546e672f 60ebfbf3 3c07552d 4a0eb144 b68887bc 32c4437a 30ec40bc 45
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0301
fc bf144c0e cc6ec4df REMOVED
3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 71.xxx.xx.232 255.255.255.255 outside
ssh 173.xx.xxx.125 255.255.255.255 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns 4.2.2.1 4.2.2.2
!
dhcpd address 192.168.10.5-192.168.10.20 dmz
dhcpd dns 4.2.2.1 4.2.2.2 interface dmz
dhcpd update dns both override interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
url-list value RemoteAccess
svc ask none default webvpn
group-policy vpn_to_sandwich internal
group-policy vpn_to_sandwich attributes
vpn-filter none
vpn-tunnel-protocol IPSec
group-policy VPNClient internal
group-policy VPNClient attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNClient_splitTunnelAcl
group-policy vpn_to_ihs internal
group-policy vpn_to_ihs attributes
vpn-filter none
vpn-tunnel-protocol IPSec

***SSL Users Removed***

webvpn
url-list value RemoteAccess
tunnel-group 64.xxxxxx.180 type ipsec-l2l
tunnel-group 64.xxxxx.180 general-attributes
default-group-policy mdabstract-vpn
tunnel-group 64.xxxxx.180 ipsec-attributes
pre-shared-key *****
tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool RemotePool
default-group-policy VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared-key *****
tunnel-group 173.xxxx125 type ipsec-l2l
tunnel-group 173.xxxxx.125 general-attributes
default-group-policy vpn_to_sandwich
tunnel-group 173.xxxxx.125 ipsec-attributes
pre-shared-key *****
tunnel-group 207.xxx.31 type ipsec-l2l
tunnel-group 207.xxxxx.31 general-attributes
default-group-policy vpn_to_ihs
tunnel-group 207.xxx31 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ccf61f1a248d3858a93efa68354ddb4
: end

tdean

Running Config of our default gateway router that is one side of our P2P EVPL to one of our remote sites. Not sure if you will see anything out of the ordinary....Im getting snow blind looking at this stuff.

User Access Login
Password:
Hyannis>en
Password:
Hyannis#show run
Building configuration...
!
!
! ADTRAN, Inc. OS version 18.01.01.00
! Boot ROM version 17.06.01.00
! Platform: NetVanta 3430, part number 1202820G1
! Serial number LBADTN1130AF995
!
!
hostname "Hyannis"
enable password Axxxxx
!
clock timezone -1-Cape-Verde
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
ip domain-proxy
!
!
no auto-config
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
!
no service password-encryption
!
username "xxxxx" password "pxxx"
!
!
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
!
!
!
no ethernet cfm
!
interface eth 0/1
speed 100
encapsulation 802.1q
no shutdown
!
interface eth 0/1.37xx
vlan-id 37xx
ip address 1.1.1.1 255.255.255.0
no shutdown
!
interface eth 0/2
speed 100
ip address 172.22.1.240 255.255.255.0
no shutdown
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 172.22.1.234
ip route 128.1.0.0 255.255.0.0 172.22.1.3
ip route 172.17.150.0 255.255.255.0 172.22.1.3
ip route 172.22.2.0 255.255.255.0 1.1.1.2
ip route 172.23.10.0 255.255.255.0 172.22.1.3
!
no tftp server
no tftp server overwrite
no ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
password Axxxxxx
!
line telnet 0 4
login
password pxxxxx
no shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
!
!
!
end
Hyannis#

tdean

phoeneous wrote: »

Connect a pc to the adtran and give your pc a static ip. Is your internet still slow if you bypass the asa?

the way its set up, conencting to the adtran wont give me that. the adtran kicks all non evpl traffic out and over to the ASA. i am plugged straight in on our secondary circuit which we plan to use for redundancy, and im getting good ping times (~8ms) but still only 8/2 onstead of 20/10.

my FW guy just sent me this...

So looking at the traffic load on the ASA right now, it appears it pushing a pretty consistent 5200 kbp/s on the outside interface, outbound. I see peaks of 8000kbp/s. And we are at lunch.

That translates into 40 to 60 mbp/s download. So my guess is that you are nearing your max on that pipe. How? I don't know. The VPNs probably take a LOT of it. Especially (company X).

When Comcast is there, ask them if they can get a quick average load over a few minutes. For the record, the ASA5510 is rated to a max of 300 Mbps total combined on all interfaces, in and out. Right now it's got a pretty good average of around 50-80 Mbps total. Well within the limits of it's performance.