Cisco Firewall :: PPTP Performance Through ASA5520 Very Poor?
Nov 13, 2011
We use MS RRAS services behind a Cisco ASA 5520. In testing the performance I have found that we can only get a little over 2MB of througput when connected to the VPN server over a broadband connection. I have verified that the issue is not the RRAS server itself as I can connect to VPN from the LAN and the througput tests at 300-400MB. I also connected to the LAN directly on the outside of the firewall and only get 4 or 5 MB from there which does not seem right. None of the switches are showing any errors. I believe that I have the passthrough stuff setup as I should. I even went through these steps as recommended by Cisco.
hostname(config)# class-map pptp-port
hostname(config-cmap)# match port tcp eq 1723
hostname(config-cmap)# exit
hostname(config)# policy-map pptp_policy
hostname(config-pmap)# class pptp-port
hostname(config-pmap-c)# inspect pptp
hostname(config-pmap-c)# exit
hostname(config)# service-policy pptp_policy interface outside
View 7 Replies
ADVERTISEMENT
May 1, 2011
having a very strange problem with a Cisco 1861 running - Cisco IOS Software, C1861 Software (C1861-ADVENTERPRISEK9-M), Version 12.4(24)T5
The issue -I have suddenly started to get performance issues with downloads and access through the ZBF. Without the firewall enabled and just having NAT enabled and routing , downloads perform as expected - ( have been using Itunes download as test file ) - with the ZBF enabled , and the necessary rules installed to inspect & allow traffic - downloads stall - and the only way to get the downlaod to start again is to pause , then resume. The stalls are anything between the first 25 - 120 secs.
I have debugged and performed packet traces - but cant see anything untoward. I have also placed another router ( just a cheap Belkin ) on the ADSL service and again , the downloads work as expected.
one further thing to add is that when im tunneling through the firewall ( VPN ) , then downloads do work as expected - suggesting that the issue is with native HTTP(s) traffic.
I have upgraded from T4 to T5 - and the symptons still remain - I am thinking that these may have been introduced when i upgraded to T4 a few monthes ago.
View 3 Replies
View Related
Nov 30, 2012
I run my virgin broadband through an old NTL modem and a Belkin router. I haveit all attached to a computer in my study along with a new 6TB Buffalo Nas drive. The computer has GIGABIT LAN. I use Belkin powerline units to relay the network around the house. In my lounge i have a blu ray player, AV amp and my sky box attached to the network via the Belkin powerline units and all run ok. This week i have added a Cambridge audio streamer but i am suffering now from a lot of dropouts and network failures escpecially when trying to stream music from my NAS. all seem to be set up correctly as per the manuals. I have spent a lot on this unit specificallly to stream my music so this is really important to get working correctly The powerline units can flash blue (fast ) or orange (slower) but i only see the orange light .My local dealer says i need to upgrade my Modem/Router and has suggested an ASUS RT-N66U which I understand is a modern 2.5/5ghz model . he says my system is overloaded
A few questions.
Is this a suitable modem for me to use on my Virgin cable broadband? (apparently there are two alternatives types of modem/router)
Is there a better alternative unit ?
Could there be another cause for my problems and if so how do i diagnose them ?
View 7 Replies
View Related
Feb 5, 2012
I replaced a Dir-655 at a coffee shop, with a new dir-655 a few weeks ago. They keep calling and saying that Windows clients are not working and that Mac clients do.My first thought is that they are overloading the router but I would think that all computers would have problems not just the Windows computers. could the router be so bogged down that it takes to long for DHCP request for windows computers assigning the IP twice?
View 1 Replies
View Related
Apr 4, 2011
I am using 2 WAP4410N in bridge mode with WPA2 Security.The bridge seems to be stable but i get poor transfer rates.Distance between devices ~ 8m - nothing between.Wireless networkmode: N-Only, Channel: Auto, Channel Bandwitdh: 40MHz (also tried auto and 20MHz)Firmware 2.0.2.1 because got different problems with 2.0.3.3One side is connected to my LAN other is connected to a notebook.
View 1 Replies
View Related
Apr 3, 2003
I have a Catalyst 4006 with Supervisor II engine. I have 48 port 10/100/1000 blades installed in it for connection to my servers. I am having a lot of problems with performance when connecting servers that are using 100 MB NICs. The speed of the connection is really bad. I have attempted setting the ports and NICs to 100MB Full duplex instead of auto-detect, but still get the same results.
I also have a 10/100 quad-port card installed in a NetApp filer. All four ports are trunked together and connect to 4 ports in the Catalyst. The ports in the Catalyst are trunked using the Port Channel feature of the CatOS. When I look at the port statistics on 3 of the 4 ports from the quad-card, there are a ton of runts and errors (both transmit and receive). The 4th port is fine, no errors.
View 2 Replies
View Related
Aug 24, 2012
I recently purchased an EA4500. It started out working really well, but recently I noticed that my speed on my iPhone and iPad has dropped significantly. When I'm in my office where the router is set up, I'm getting around 15 to 20 mb download speed and 5+ upload speed. When I go to my living room about 40 feet away my speed drops to 1mb down and less than 1 up. I expect to see a drop in my performance the further away I get from the router, but this seems really unacceptable to me.
View 1 Replies
View Related
Oct 9, 2012
The wireless connection barely registers in the Speed Test within Cisco Connect - .56 download, 5.35 upload. A cable connection gives 2.4 download and 5.5 upload. The E900 is not far from the computer with no obstacles between.Is the wireless portion of the E900 set up improperly? Is there anything I can do to improve the wireless performance?
View 4 Replies
View Related
Jan 1, 2013
I have 2 RV042 routers with identical firmware (1.3.13.02-tm) and settings. One router is a backup that sits in a box, but both experience this problem. The WAN port gives very poor performance most of the time. Download speeds range from normal, 25mb, to less than .5mb. Pings from my command prompt or the routers "Diagnostic" page, even to the cable modem, are almost always above 500ms. However, pings to internal resources are fast, usually under 5ms. If I connect my laptop directly to the cable modem I have no speed issues. The problem occurs whether I use WAN1 or WAN2.
If I restart the router, speeds are fine for a few seconds and then it begins to slow down like someone is turning down a dial. We also regularly experience a complete internet disconnect quite often, and when it happens, the ping results are the same when it comes back up, almost like the router is restarting itself. [code]
View 1 Replies
View Related
Dec 5, 2011
We have two Cisco AP541N running our wireless network in the office. They're configured with the same SSID, so that people are automatically switched between the two access points depending on their location in the office.
Frequently we are experiencing very poor performance of our wireless connections and it seems to be related to when 4-5 clients are connected to one access point. After restarting it (which also moves the 5 clients to the other access point), the performance problem goes away for a while.
I've upgraded one to firmware version AP541N-K9-2.0(1) (the other is running AP541N-K9-1.8(0)), but it doesn't seem to work.
View 1 Replies
View Related
May 16, 2013
A few days ago I received my DIR-655 I ordered off Amazon and hooked it up. There were no problems the first day after initial setup. The next day I noticed that I was losing internet connection even though the wifi indicator on my laptop said otherwise. This happens for about 5 minutes at a time and on other devices such as my desktop and my iPad. And I hopped on Call of Duty last night and played a competition with some friends and gave everyone 4bar connection. Later that night, I was playing some more and people that connected to me received 1bar connection and I got that in return on their connection. I feel that the router isn't working with my devices right?
View 4 Replies
View Related
Jun 15, 2011
We have recently purchased some Cisco 3750x switches and we are getting complaints from users that the performance is poor when both the PC's NIC and switch port are fixed at 100/Full?
There are no errors or collisions on the switch interfaces so there is no obvious problem on the switch. The PC's are standard DELL Optiplex 755/760's
or gx 520's.
Any performance issues when configuring the switchport to 100/FULL?
View 2 Replies
View Related
Jun 2, 2012
I have upgrade firmware of E1500 to latest release to version 1.0.04 and found out bad performance of the router QoS.
View 6 Replies
View Related
Sep 28, 2012
I have EA4500 acting as a router on domainless all-Windows network of two XP machines.Unfortunately, EA4500 aggressively grabs the role of the Master Browser (I am talking about Computer Browser Service) on the network (regardless in which order you power the devices up) and then doesn't serve as a working Master Browser - both Windows machines stop listing the network computers in the "Network Neighborhood" and incur massive timeouts when attempting to view the listing.A quick look with 'browstat.exe status' reveals that indeed the router has announced itself as a Master Browser device, but returns errors when you query it.Quite predictably, without the router, both machinces figure out amongst each other who will be the Master Browser and everything works fine. The problems begin only when you add the router to the network.
1) Is there any way to make EA4500 work like a full-blown Master Browser (the one that not only announces itself, but also serves as such)? having a Master Browser integrated in "always-on" router would really improve the predictability of the network.
2) If not, is there any way to disable the Master Browser on EA4500? For now I managed to achieve that by assigning the router to different workgroup name, but this is lame, as I now can't connect a disk storage to the router and use it within the same workgroup.
View 9 Replies
View Related
Dec 6, 2012
We have a remote site connected to ADSL line with a Cisco 887VA router attached. This has been working fine for the last couple of months. However, recently, the site have started to complain of performance issues (network slow, applications disconnecting, etc)Looking on the router, we can see evidence of packet loss/timeouts from a simple ping to the internet e.g. [code]
However, we have logged the fault with our service provider and they return all line tests as clear but what is particularly strange is that they also report “and the SNR Margins are well within threshold levels (Upstream 11.5 and Downstream 15.0)” which, unless I’m misunderstanding something, seems to be completely different from what the router itself is reporting.Is there a reason why the service provider’s stats for Noise Margin would appear to be so different from what the router is reporting?
View 2 Replies
View Related
Dec 17, 2011
Im getting really poor performance on my 1841, my intial thoughts was a duplex mismatch however although im getting a few CRC errors (root cause unknown at this point) not enough to suggest that the this is the issue.
Heres the config:
Building configuration.Current configuration : 5274 bytesLast configuration change at 20:31:01 PCTime Sun Dec 18 2011 by admin_xversion 15.1no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname xxxxxx!boot-start-markerboot-end-marker!!security authentication failure rate 10 log
View 7 Replies
View Related
Sep 29, 2012
I am backing up massive amounts of data to the cloud. Everytime I do this, the wireless performance on my EA4500 seems to degrade to half its throughput. I am using the 2.4 GHz band.
View 9 Replies
View Related
Jan 1, 2013
We have several of the SG300 Serices switches. We use them to route VLAN traffic to Remote Offices, Internet Connections, and WiFi Access Points.In one remote office we have a SG300-10 setup to route the HQ Network and the remote Office Subnet. The SG300 is Connected to HQ via Fiber and has multiple Tagged VLANs on it. If I do speed tests over the Fiber Link on the Incoming Tagged Netwotk I get Decent performance, 80Mbs. If I switch to a networtk that is not priginating from HQ, and have the SG300-10 route packet, I get dismal performance. 15-20Mbs.
I Fireded up a New SG300-28P FW v1.2.7.76. Added a the HQ VLAN 101 and new VLAN 1025 . Mapped some Tagged and untagged ports for each. Switch was connected to HQ Network as untagged VLAN 101. I put a laptop on an Untagged VLAN 101 port. Ran some tests, cam back with 750-850Mbs. Great. Put the same laptop on a Tagged 101 Port, Configured the NIC for Tagged VLAN 101, Same test, same Speeds, 750-850Mbs.I then Configured laptop for Tagged VLAN 1025. Connected to tagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!
I then Configured laptop for Untagged VLAN 1025. Connected to unagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!It was only the Laptop and the Connection to the HQ net on the SG300-28P. Why is the performance of this unit soooooo poor when it needs to route?Other Switches have FW v1.0.0.27 or FW v1.1.2.0. They have Similar speed issues. All Configured for Layer 3.
View 10 Replies
View Related
Jan 23, 2012
I am having poor performance through an IPSec VPN between two Cisco ASA 5505s. In researching, I found some discussion about setting the MTU for the VPN. So from one side of the VPN tunnel, I tried pinging a host on the other side specifying the Don't Fragment flag and testing different packet sizes. I found that a size of 1398 is the largest packet size that results in a successful ping.So, I also understand that I should be able to set the MTU to 1426 (1398 + 28 bytes for the IP and ICMP headers). What I'm not 100% clear on is where all I need to set this. Do I set the MTU for the outside interface of the ASA that the VPN tunnel is going through, or do I also need to set the MTU for the inside interface, or on the outside interface and the switch port that the interface is connected to (switch port is set to an MTU of 1500 as well)?My thoughts are that only the outside interface of each ASA needs the lower MTU (currently set at the default of 1500).
View 1 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
May 15, 2006
Can I configure a PIX (515), as PPTP client to establish a tunnel with non-Cisco PPTP server ? Can my PIX initiate this type of connection ?Today, I use a PC with PPTP client to establish this and I want replace this with a PIX and I don´t want depends of a PC.
View 5 Replies
View Related
Dec 19, 2011
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
View 1 Replies
View Related
Sep 11, 2011
we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:
- sending small packets from inside zone to outside zone, for example UDP packets without payload
- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)
- CPU load is about 1% (yes one!) to 2% all time !! (weird)
- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)
- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)
- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.
View 5 Replies
View Related
Apr 26, 2011
To sum it up the ASA is maxing out at 7MB down on a 25MB connection. The connection was tested with the ASA removed and the connection is fine.
This popped out at me the most but i'm not sure what it means:
12884935775 switch ingress policy drops for eth 0/0
[code]....
View 6 Replies
View Related
Nov 3, 2011
I have a client using a VOIP service to a third party provider (RingCentral). They are connected via Cable ISP (6mb) to the Internet and now experiencing performance issues with their VOIP service. They indicated that the call can be heard but that there is jitter and choppines in the call and they have to place a regular landline call. Their provider recommended using QOS to improve. I did not see anything straight forward on the ASDM interface to do this and figure it may require command line to accomplish.
They have Cisco IP 303 and 5252G2 phones which connect through an ASA5505 7.2(4) to their provider for service. Apparently the voip app uses the following ports:
UDP
5060-5090
8000-8200
16384-16482
What would be the best solution to improve performance or perhaps traffic shape / priortize traffic to work. I assume this may be happening if there are heavy downloads or activity happening on the network. The ASA5505 is on 7.2(4). Some coded examples for the above info.
View 1 Replies
View Related
May 6, 2008
i read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:
inspect pptp.
pptp connection cannot setup.
show connection in pix:
pptp tcp 1723 is ok.
gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).
View 5 Replies
View Related
Mar 22, 2011
I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )
1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow
VOIP-SIP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 5060
VC-SIP : from any_external to 217.207.96.120 on port tcp/udp 5060
VC-Video : from any_external to 217.207.96.120 on port tcp/udp 60000 to 64999
VOIP-RTP : from 85.90.225.100 to 217.207.96.121 on port tcp/udp 10000 - 20000
2) I need to eneble to pass PPTP traffic from outside to inside and vice versa
current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(2) !hostname ciscoasa
namesname 10.10.1.19 barracudaname 192.168.1.2 ctxdmzname 10.10.1.39 ftp1name 10.10.1.38 ftp2name 10.10.1.37 ftp3name 10.10.1.192 mailsvrname 217.207.96.114 outside_114name 217.207.96.115 outside_115name 217.207.96.116 outside_116name 217.207.96.117 outside_117name 217.207.96.118 outside_118name 217.207.96.119 outside_119name 217.207.96.120 outside_120name 10.10.1.8 transfer_servername 10.10.1.10 backupsvrname 10.10.1.4 citrixsvr1name 85.90.225.100 voip_sipname 10.10.1.9 minimac1name 82.111.186.146 sdt_rdpname 217.207.96.121 outside_121!interface Vlan1 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 !interface Vlan3 nameif dmz security-level 50 ip address 192.168.1.1
[code]....
View 5 Replies
View Related
Jun 27, 2012
I am using a pptp server running on windows 2008 server and I have configured my ASA 5520 to let the PPTP traffic to pass throught.
The solution works quite well but exactly every 120 minutes the connection drops and people have to reconnect. Is there any setting to change? In the PPTP server I haven't found any setting to change.
View 2 Replies
View Related
Apr 26, 2011
we are not able to connect to a outside PPTP vpn server;The scenario is this :Connections are started from inside netwok to a VPN server on the outside zone.
I have add these configs and still not working.policy-map global_policy class inspection_defaultinspect pptp ?i also have a acess-list for it.access-list inside_access_in extended permit tcp object inside-network any eq pptp access-list inside_access_in extended permit gre object inside-network any access-group inside_access_in in interface inside? I am missing something or this is all configs i have to get done ?
View 5 Replies
View Related
Dec 22, 2011
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies
View Related
Oct 3, 2011
What is the difference between IP throughput routing throughput and firewall throughput
the reason is i am trying to spec a router for a mate who is setting up an online server for an old game ultima online which will have around 300-400 people each pulling around 10kb/sec
I recommended an 880 service router but when he spoke to a guy at the shop they said this would only run at 25mb/sec and he is plugging in to a 100MB/sec line
But the current router that is a home dlink which cost at most 60 Euros on a speed tester can pull 95mb/secI just don’t get how a 60 Euros router can download quicker than a 300-400 Euro router
They said try a ASA5505 that can do 150MB/sec of firewall throughput
View 1 Replies
View Related
Mar 14, 2011
We are suffering slow https traffic download. We have a CISCO ASA 5550, Cisco Adaptive Security Appliance Software Version 8.0(5)19. When we try to download some videos from an https server we have a data download rate of about 140 kbps, but if we bypass the firewall and put a laptop just after the border router, data rate increase up to 350-400 kbps.
We configured a new interface in the firewall and we connected a laptop directly to the port in the ASA 5550, with a new ACL permit ip any any, just for test purposes, but data rate is still the same, 140 kbps.
View 2 Replies
View Related
Aug 22, 2011
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies
View Related
