Cisco Cisco ASA 5580 Adaptive Security Appliance Troubleshooting Guide
For example, a customer might replace a low-end D-Link router (or other routing device) with an
ASA 5505 or an ASA 5510; however, once the router is replaced, connection speed is greatly
reduced. Customer might raise a case with Cisco TAC because they believe the ASA caused the
reduction in connection speed.
ASA 5505 or an ASA 5510; however, once the router is replaced, connection speed is greatly
reduced. Customer might raise a case with Cisco TAC because they believe the ASA caused the
reduction in connection speed.
Troubleshooting Methodology
TCP flows slow down when there is packet loss or packet delay on the network. In order to
understand the exact cause of the problem, the data must show the actual TCP packets on the
wire for that connection and how the network might affect them. Usually a network administrator is
alerted to the problem when they perform a specific action, such as an FTP file transfer or an
online speed test. Most often the problem can be reproduced. Therefore, the administrator can
gather the required data in order to find the root cause.
In order to gather the required data, the show tech command should be run from the ASA before
and after the test. This command shows configuration and packet statistics (mainly from show
service-policy) and also shows if the interface errors increment.
Bi-directional, simultaneous packet captures (taken from the two ASA interfaces affected that the
connection traverses) are required to fully diagnose the cause of the issue.
Refer to these documents for examples of how to apply packet captures to the ASA:
understand the exact cause of the problem, the data must show the actual TCP packets on the
wire for that connection and how the network might affect them. Usually a network administrator is
alerted to the problem when they perform a specific action, such as an FTP file transfer or an
online speed test. Most often the problem can be reproduced. Therefore, the administrator can
gather the required data in order to find the root cause.
In order to gather the required data, the show tech command should be run from the ASA before
and after the test. This command shows configuration and packet statistics (mainly from show
service-policy) and also shows if the interface errors increment.
Bi-directional, simultaneous packet captures (taken from the two ASA interfaces affected that the
connection traverses) are required to fully diagnose the cause of the issue.
Refer to these documents for examples of how to apply packet captures to the ASA:
ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example
Troubleshoot Connections through the PIX and ASA
Data Analysis
Once you gather the required data, you can use the packet captures in order to determine which
of these issues might have occurred:
of these issues might have occurred:
The packets from the outside host are dropped or delayed before they reach the ASA's
outside interface.
The packets are delayed or dropped by the ASA.
The packets are delayed or dropped somewhere on the inside network.
Note: This analysis assumes the data is sent from a host on the outside interface to a host on the
inside interface.
This video shows an example of how to perform the analysis on a packet capture:
inside interface.
This video shows an example of how to perform the analysis on a packet capture: