Cisco VPN :: ASA 5540 / Internet Access Is Slow When Running Full-tunnel
Aug 7, 2011
We have ASA 5540. We setup Site-to-Site VPN and Remote Access VPN (Cisco VPN client). If are running full tunnel on the Cisco VPN client, the internet access is slow. For example, when we are running full-tunnel, the internet speed is 16 Mbps based on Speedtest.net. When we go to Speedtest.net, some of the graphics do not load. If we are running Split-tunnel, the internet access speed is 78 Mbps based on Speedtest.net and the Speedtest.net web site loads all the graphics.
I have ip phones at the remote location that connect into the phone switch(it's a nortel cs1000 system) over the tunnel. Internal calls work just fine, however when somebody calls from the outside, or calls are made to the outside the connection is never finalized. Like if I call from my cell it rings the phones, but when I answer there is nothing but dead air.In the group policy for the tunnel, I gave the remote site FULL access to the phones vlan and vice versa...which obviously works since internal calls work fine. If I remove my group policy and give it the Default group policy which essentially gives that tunnel full access to everything since the tunnel is set to bypass interface ACLS, external calls work fine. So it's definitely related to the group policy.
The group policy is basicallyAllow remote site to X network/host on these ports no denies since it blocks whatever isn't specifically allowed. However since it can get the phone switch and it can get to the internet I'm not seeing why the calls aren't working.The only thing I can think of to try doing as well is remove the allow inbound traffic to bypass interface rules and treat it just like another vlan interface on the ASA. Create the rules on each interface for the remote site network etc and see if it works that way.
I need to replace an existing ASA 5540 with a new ASA 5525X. I would like to pre-stage and configure the new box with the existing config, migrate license and export certificate files before swapping it with the old one during a change window. The new firewall will run 9.1 on deployment. Now the same 7.2(4) cannot just be copied over to 5525X running the minimum 8.6 version. There is a Web based tool available at [URL] according to Cisco documentation but the page does not load for me (Cisco intranet only tool ?). Is there another tool for automatic conversion ?
My internet has randomly been slow lately. It used to work fine at about 6.0 Mbps from speedtest.net but suddenly i'm barely getting 2 Mbps. I don't know why this has happened. I've been getting very high ping spikes during gaming making me unable to play. I've done a virus scan using Avast, and have come up with nothing.
I bought a sony vaio I3 2.1 ghz 4mb ram laptop yesterday, and it has a very unstable wireless internet connection. The internet might be super slow at first, then drop entirely to where it says "you are not connected to the internet," then after not changing anything it will have a normal connection speed for a few minutes before repeating this cycle again. I have a macbook pro that I've had for two years connected to my wireless internet, and it has never had a problem. Even now it runs as usual on the wireless internet. I also have two ps3s that are working fine on the wireless, so I know it's not the router or signal.
I have 3 laptops, an ipod and an Xbox connected wirelessly to my router. I have no troubles with either of them but one laptop which runs really slow through wi-fi. I have been reading on people with similar examples and here are some stuff I noticed.
1. The laptop is new and I ran it as a virus check with no viruses
2. I did notice two wifi adapters as follows. Microsoft Virtual WiFi Miniport Adapter and Microsoft Virtual WiFi Miniport Adapter #2. They both show that they are working properly and I have checked for updates.
3. My router is a Netgear DGN1000 modem/router. It is also updated on firmware.
4. I have the right password etc.I do however have my xbox set up as DMZ and ports forwarded on the static IP for my xbox
I have a Belkin N600 HD.I'm on an Off-net ADSL2 Connection with TPG.It took 2 weeks to connect.I've connected and I'm still downloading at 1.5Mbps (150kb/s)I bought new Lie filters/splitter in case the same ones I have were faulty (C1024M) and connected them correct to both my home phone and my Modem.So I've connected to my net, I can download and do whatever but I'm going at my ADSL1 Speeds. My friend is on the same connection, same modem (he bought it cause of me) and he's hitting higher then me (500kb/s, 600kb/s) Although he's on a separate line so no filters required (I think).He lives about 5minutes away from me (car) and is about the same distance from the exchange as I am (2.5km give or take) [code]
I recently purchased a new laptop, the HP Envy 14 Beats Edition (i5 processor, 6GB ram) and the internet has been working great (Verizon Fios, MI424WR modem) until yesterday. My internet at that point went incredibly slow all of a sudden, on both firefox and internet explorer. I eventually managed to transfer over some antivirus/spyware/malware software, and found that I had the msiexec.exe trojan, among other trojans (or installers?) on the system. I've deleted what I could find. But, with such slow internet, I couldn't update any of the antivirus software, and eventually did a system restore to out-of-the-box conditions. Using a new internet connection (free wifi at a store), I easily downloaded AVG, Malwarebytes, and Spybot, all of which declared my computer clean. However, upon connecting again to my home internet connection, things ran really slow again.
I just set up a new computer with win 7 - 64. The cable broadband download speed is less than 1 meg/sec. My wife and daughters computers, which are wireless, see now slowdown. My computer is connected to the router thru the ethernet connection. The previous computer using win xp - 32, plugged into the same router had no unusual speed problems. I did turn off the windows 7 firewall. Did no good.Could there be some incompatibility between the router and win 7 - 64?? Are there some settings that need changing?
I'm using Dell Inspiron 1525. i just reformatted it because of some hard disc's problems. the first night after it is repaired, everything is okay. the internet is fast. but the next day, the internet is just running really slow, i dont even think i have loaded a complete page for the past 3 days, let alone downloading stuff.
well, i've tried most of the solutions i found online like turning off IPV6 and something else but the internet is still slow. and im using a ADSL modem, not a wireless one. the internet works just fine with other laptops. i called my technichian and asked. he said its the matter about laptop brands. every laptop has different.. i dont understand what he's talking about. so..
i used to have slow internet connection before reformatting but i thought its cause by my overloaded laptop memory, but now that it's reformatted i hardly have any software in it so what can i do?
Sometimes, I get this email notification 3 times within 1 minute interval. What caused this type of error message and how to fix it? No one was logging in to Cisco VPN client when this error occurred.
I have a dell studio 1557 running windows 7. I live in my own apartment with roommates in college, and i've been having some very bad issues with slow internet or constant down time. Here are some key points:
- I have Charter internet.
- My 2 other roommates have NO ISSUES.
- My laptop works in my family's house. They have Comcast. I went on vacation a week ago and there were no issues on the hotel internet. No issues from the school's internet.
- I have been using my android phone as a tether because the internet is more stable. It's slow, but consistent for the most part. This is extra frustrating because I shouldnt have slow internet. And I sure as hell shouldnt be paying for internet I can't even enjoy.
- Charter has replaced 2 routers. Both are brand new. They are net gear. Charter is clueless to my problem.
- I have reinstalled windows. Dell told me to try safe mode. I noticed NO ISSUES WITH STANDARD BROWSING IN SAFE MODE. This leads me to believe it is a software issue.
- The connection is non-existent when coming out of hibernation or rebooting. In the morning, i have to boot up, make my coffee, and only then will it give me access to the internet. Otherwise, page timeouts. It can take up to 10 minutes for the internet to work.
- Youtube and general multitasking is very bad. Slower connection than ever, page timeouts, and I often need to wait for a video/music to buffer before I begin enjoying it.
My laptop has been this way for upwards of 6 months.
I need to work with the full tunnel feature of the IOS SSL VPN using a Cisco 1841. Here is what I see...
-I login to the portal page and click the "Start" button for "Tunnel Connection (SVC)" -Security Alert message "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?" I click yes. -Anyconnect says "Please wait while VPN connection is established" -Anyconnect error "The certificate on the secure gateway is invalid. The VPN connect will not establish"
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
I have an AC 3.0 connection that works fine prior to CSD. Once I've enabled CSD I get CSD to load and then the AC tunnel fails. Ive attached the DART bundle and a few screen shots.
I am running on Windows Vista and out of no where I cannot connect to my network %70 of the time. When I can connect I have local access and a full bar signal but no Internet access. But when I have internet access every page takes forever to load (if it even loads). I tried reinstalling my drivers and even hanged some registry stuff. My wireless card 8.11g by Broadcom.
I just received a brand new HP Pavilion dv7 Notebook PC. When I try to connect to my internet, it connects, but attempts to "identify" the connection for about 10 seconds then it says "Undentified network" and fails to have internet access. 2 other computers are connected to this network with no problem. I've tried resetting everything, and many other "fixes" for this exact problem from other forums. I even uninstalled Norton, but nothing seems to work.I can connect directly to mine, and wirelessly with my neighbors, so I know the network card is okay.Here is my information when I type ipconfig /all into cmd.
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsersStephen>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : Stephen-HP Primary Dns Suffix . . . . . . . :
i have cisco asa 5540, users access vpn through anyconnect, i have applied split tunnel so that all users accessing internal network (10.0.0.0) grows through tunnel and other traffic through internet.. working fine.i want to fully tunnel one user so that all his traffic goes through the tunnel, what is the best way to do it, "is there any guide (step by step)"
I am facing a kind of weird problem!! My Sony Vaio was getting connected to my Home wifi network and I could access Internet without any problem. Its been few days now that I can't access Internet though it shows connected. It does connect with the Wifi without any issue and even show the full signal like before, but actually there's no internet access. No browsers (IE,Chrome,FF) load any webpage, no messengers work.
We terminated about 25 site-to-site VPN tunnels on the Cisco ASA 5540 (2 GB RAM). It appears that the memory utilization is getting higher when adding the tunnel. We are planing to remove those 25 VPN tunnels out 5540, and soon we will add additional 40 VPN tunnels on it. So it will be total around 65 tunnels, and maybe add couple tunnels per year for the future grow, but about 25 VPN tunnels are using at all the time, the others are just backup purpose, standby only. We are looking for the new network device (router or ASA) to accommodate the needs. Which network device is better to handle VPN tunnel for this infrastructure?
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
This has to be the most weirdest issue I have seen since the past year on my ASA. I have an ASA 5540 running the 8.4(2) code without any issues until I stumbled upon this problem last week and I have spent sleepless nights with no resolution! So, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my ASA 5540 8.4(2) and a Juniper SSG 140 screen OS 6.3.0r9.0(route based VPN)
The tunnel comes up without any issues but the ASA refuses to encrypt the traffic but decrypts it with GLORY! below are some debug outputs, show outputs and a packet tracer output which also has an explanation of my WEIRD NAT issue:
My setup - ( I wont get into the tunnel encryption details as my tunnel negotiations are **** perfect and comes up right off the bat when the ASA is configured as answer only)
As you can see, there is no echo reply packet at all as the packet is not being encapsulated while it is being sent back. I have been going mad with this. Also, this is a live production multi tenant firewall with no issues at all apart from this ****** ip sec tunnel to a juniper!!
Also, the 192.168.10.0/24 is another IP Sec tunnel remote network to this 10.2.4.0/28 network and this IP SEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm without any issues, but the 171 is not being encrypted by the ASA at all.
We have had a shift in our work force and find a large number of uses now working from home. Lately (this weekend) they have been complaining about VPN client downloads being very slow. I have tested the IPSec client and the SSL client and compared them to an Internet download on the network using the exact same laptop and the exact same web site www.speednet.net. Here at the office I see 50M, over both VPN's I see (if I am lucky) 1M, all reading within a 15 minute period and all over the same 600M pipe to the Internet
We have never noticed this before this work force shift to home. Eliminating all other factors, which we think we have, would you expect VPN clients to behave this way?
MTU is set at default from day one. The only thing we have done to VPN configuration over the last week was to add a tunnel gateway to the ASA 5540 VPN configuration which is only a hop away from the firewall inside interface.
I will provide configuration data if you request but my question is just a general one at this point. Is this normal and can you make a suggestion as to how we can improve? We are research, running wireshark on the test laptop so as the day progresses we will have more information to provide if needed.
I'm having a throughput problem with a new ASA 5540 running version 8.2 (1). When trying to access a database server using tcp port 1521 (sqlnet) it is about 10 to 20 times slower than when the database is not behind the firewall. We've been running the same software on a database behind an ASA 5520 running version 8.0 (3) with no problems for years. When I check the cpu usage on the 5540 at the ASDM home page, it is rarely above 20% and never above 30% while this is being tested. I tried testing ftp throughput over the same interface and it was normal with ~320 Mbps average rate transferring a 500 MB file.
I'm not able to get my DIR-615 running... that's the case:Cable Modem works fine with Internet Access - LAN Cable to my Windows Laptop.Bought a new D-Link DIR-615 and plugged the LAN Cable from the Cable Modem to the "Internet" Port on the 615. Second LAN cable from Port 1 to my laptop for config of the WLAN SSID and WPA2. Unplugged it and here we go, I can access the 615 via WLan Connection. But... I have no Internet Access over Lan or WLan. The 615 gives me options to setup Internet with the cable/ISP information. But this is done by my cable modem, isn't it ? What do I have to do to get it running? enabled and disabled DHCP, made Reset, latest Firmware 8.02 is installed (out of the box).
I have been trying to get a VPN tunnel established between this device and a Checkpoint R70 firewall, but have been getting nowehere.
The settings are:
Encap: ESP Encryption: AES256 Hash: SHA1 DH: Group 2 (1024) Authentication: pre-share lifetime: 1440 min / 4096000 KB
I can open the tunnel from the ASA to the Checkpoint, but the Checkpoint cannot open a tunnel with the ASA. It looked like the issue originally was the KB timout which was turned off on the Checkpoint side. They have since added that (4096000), but we are getting Phase2 failures.
How to create a tunnel between an ASA running 8.4(2) and a Checkpoint R70?
I am beginning to think that I have incompatible systems Is it a PFS issue? If so, how do I enable that in the policy section?
I am now unable to access the internet with my Dell 560 running windows7. I have Verizon Fios for internet access. Windows network diagnostics reports that the connection between my access point,router or cable modem and the internet is broken and the network gateway is accessible but windows could not receive network traffic from the internet. Verizon's in-house -agent reports that there seems a connection problem between my router and the wall jack. I am able to access the internet with another computer and the the same router. I also have no problems with my iPad. I have interchanged cables and ports on the router.
I bought my laptop 4 weeks ago. It has Windows 8 on it. It worked great until this week. At first, Google Chrome quit working. Then IE quit. I connect wirelessly. It says it is strong, but no Internet access. I do have connectivity on my phone to that router.
I'm experiencing a failure on headend 3945 routers with VPN tunnels to remote 2901 routers. Essentially, a tunnel a a 3945 will go down/down although the tunnel on the remote router indicates it is up/up. It happens intermittently and I am not seeing anything in the logs, other than the tunnel goes down. This seems so much like an IOS bug, but I can't find anything specific in caveats on this version of code.
I am having issues getting my ASA 5540 at site A, to pass TFTP and SYSLOG from itself across the IPSEC tunnel to our SYSMON servers (Syslog and TFTP) that live at site B. I have followed the suggestions of other threads and I am still not getting anywhere. Here is a quick topology diagram.
