slow network speeds behind firewall

[Pantlegz]

So We got the ASA all hooked and and everything running a little while back and everything has been fine but lately we've noticed that our download speeds have been less that ideal. Our internet connection through the local university is a shared 45mbit conection. Outside the firewall we're getting ~45mbit/sec but behind the firewall it's 4-6mbit/sec. Neither the routher or ASA seem to be taxed at all when checking their status with the (A)SDM they'll peak at 1-2% cpu usage and memory on the ASA is 10% the router is always below 5% I can't figure out what the problem could be. The main swich is using 1% of it's cpu and about 50% of it's RAM but still not enough that I think it would be causing issues, not this extreme. The really strange thing, to me, is the fact that our upload speed is normal 40-50mbit/sec. Any Ideas? Spidey?

 

[spidey07]

Duplex mismatch would give those symptoms. Check ports and make sure they're set to autonegotiate as well as the other end.

 

[Pantlegz]

speed and duplex are both set to auto on both ends, the connection is coming into our fiber switch which also has ethernet ports on it. I checked both ends and they're correct. I even tried switching the ports the cables were pulgged into as we have a network inside the building that's outside the firewall and still got the same results.

 

[jlazzaro]

try hard coding both ends. any interface errors, drops, etc? swapped any cables yet? have you analyzed/compared a packet capture from both the working and impaired connections?

also, which ASA model and code?

 

[Pantlegz]

I hard coded the asa, I'm trying to get the password for the old fiber switch. It's not out default so I may not be able to get into it but I'll try. it's an asa 5510. Capturing packets on both ends will be a huge pain in the ass but I can try. the issue will mostly be getting a machine that's not already wired into the switch over there and somewhere I'm able to get to it.

 

[Pantlegz]

ok both ends set manually and same thing. I ran wireshark on my machine, behind the firewall and there's nothing abnormal that I could find.

 

[Pantlegz]

So I think it's an issue with the router. When I go to the server vlan I'm able to get decent transfer rates inside but if I'm on a different vlan inside it's slow. But there's nothing but routing on the router. no acl no firewall no nac no ips no nothing but IGRP and a few sub interfaces.

 

[spidey07]

fragmentation or MTU problem?

 

[Pantlegz]

fragmentation or MTU problem?

What do you mean? I don't think it's fragmentation but how would I be able to tell? I'm not sure what MTU is..

 

[Pantlegz]

actually it looks like the MTU on both ends is 1500 bytes, still not sure about checking for fragmentation

 

[Pantlegz]

I think I may have found part of the problem anyway.

Interface GigabitEthernet1/0 "inside", is up, line protocol is up
Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Media-type configured as RJ45 connector
MAC address c84c.7552.03e8, MTU 1500
IP address 10.*.*.*, subnet mask 255.255.252.0
468097 packets input, 100525750 bytes, 0 no buffer
Received 28 broadcasts, 0 runts, 0 giants
21 input errors, 21 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
547550 packets output, 483525637 bytes, 0 underruns
0 pause output, 0 resume output
5337 output errors, 9304 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
8 rate limit drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "inside":
467928 packets input, 90815777 bytes
553477 packets output, 476788353 bytes
1896 packets dropped
1 minute input rate 488 pkts/sec, 176953 bytes/sec
1 minute output rate 617 pkts/sec, 610607 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 112 pkts/sec, 18021 bytes/sec
5 minute output rate 132 pkts/sec, 121467 bytes/sec
5 minute drop rate, 0 pkts/sec

Thats the firewall port that's going to the router. The router port looks better, but it does have 7000 CRC errors and the interface has been reset 23 times and a few runts. But no collisions detected. It's also set to full duplex and the firewall end will default to half, if I force both of them to full or gigabit I don't get any connection. Both devices will show up/up but no data passes across the link. I changed out the cable and still having the same issue, could I need a cross over cable?

 

[spidey07]

The router may only be a 10 Base-T port and not support full-duplex? Eitherway, that screams of a duplex mismatch.

 

[Pantlegz]

It is a duplex mismatch, both ports are gigabit. if I set the duplex the same either full or half on both sides it doesn't work the conenction will stay up but 60% of the pings are dropped and we can't get internet. If the Firewall is at half dyplex and the router at full duplex we get internet and pings don't fails but we get those errors.

 

[spidey07]

Sounds like possible flow control/pause settings then. I have NEVER seen autonegotiation not work on 1000 Base-T.

 

[Pantlegz]

seems that flow control MAY be the problem the ASA is saying that flow control is not supported. And the Router has flow controls XON for both input and output. I'll see if I can figure out how to shut it off.

 

[drebo]

Bad cable?

 

[Emulex]

how do collisions occur on gigabit full duplex?

 

[Pantlegz]

Bad cable?

tried several cables all with the same results. So I don't think it's a bad cable. It may be the wrong type of cable though. we're connecting the ASA to the router via the 4GE SSM module so I'm not sure if it needs a straight through cable or crossover. I figued if we had the wrong type of cable it would just fail to link at all but maybe thats not the case?

 

[Pantlegz]

how do collisions occur on gigabit full duplex?

The issue is I can't get it to run gigabit full duplex, anything other than half duplex 100 mbit on the firewall and full duplex 100 mbit on the router drops 40-60% of my ping packets. it's so bad that we're not able to get any sort of internet connection.

 

[spidey07]

Call Cisco. Also 1000 Base-T does have auto-mdi as part of the standard but there are commands to turn that off. If you connect two end devices like you're doing it will do the crossover internally.

What's the router?

 

[Pantlegz]

Call Cisco. Also 1000 Base-T does have auto-mdi as part of the standard but there are commands to turn that off. If you connect two end devices like you're doing it will do the crossover internally.

What's the router?

The router is a Cisco 3845, and I did try a spare crosover and it's the doing the same thing. I have called cisco and I'm waiting for them to get back with me. Normally their tech support is less than helpful but I'm going to give it a shot.