The information in this document is based on the Cisco Adaptive
Security Appliance (ASA).
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Some customers might experience a problem when they first deploy an ASA
or when they test new connectivity. The problem is the TCP throughput for
connections that flow through the ASA is much lower than when the ASA is not in
the connection path (or the connections are much slower than before the ASA was
implemented in the network).
For example, a customer might replace a low-end D-Link router (or other
routing device) with an ASA 5505 or an ASA 5510; however, once the router is
replaced, connection speed is greatly reduced. Customer might raise a case with
Cisco TAC because they believe the ASA caused the reduction in connection
TCP flows slow down when there is packet loss or packet delay on the
network. In order to understand the exact cause of the problem, the data must
show the actual TCP packets on the wire for that connection and how the network
might affect them. Usually a network administrator is alerted to the problem
when they perform a specific action, such as an FTP file transfer or an online
speed test. Most often the problem can be reproduced. Therefore, the
administrator can gather the required data in order to find the root
In order to gather the required data, the show
tech command should be run from the ASA before and after the
test. This command shows configuration and packet statistics (mainly from show service-policy) and also shows if the interface
Bi-directional, simultaneous packet captures (taken from the two ASA
interfaces affected that the connection traverses) are required to fully
diagnose the cause of the issue.
Refer to these documents for examples of how to apply packet captures
to the ASA:
Once you gather the required data, you can use the packet captures in
order to determine which of these issues might have occurred:
The packets from the outside host are dropped or delayed before they
reach the ASA's outside interface.
The packets are delayed or dropped by the ASA.
The packets are delayed or dropped somewhere on the inside
Note: This analysis assumes the data is sent from a host on the outside
interface to a host on the inside interface.
This video shows an example of how to perform the analysis on a packet
TCP stream coalescing is a technical consideration
specific to this problem because, when you engage certain features on the ASA,
the firewall fully coalesces the TCP stream that passes through it.
For example, if the ASA discovers a missing packet on the network
(since it is not received at the ASA), it sends an ACK on behalf of the other
TCP endpoint for the missing data. This scenario is most common. If the ASA
discovers packets that arrive out of order, the ASA reorders the packets and
passes them to the receiver in the proper order. If there are no network drops
or packet reordering, there are no side effects to enabling this feature. If
all the packets sent by either TCP endpoint successfully passed through the
network and the ASA, you would not know this feature is enabled since it does
not take action on the packet flows. Only when there is trouble with the TCP
connection on the network will enabling this feature further slow down network
traffic. The act of coalescing the TCP stream is very resource intensive for
the ASA. For every packet dropped on the network the ASA must not only send a
TCP packet request the retransmission of that packet, but it must also buffer
the packets that the sender continued to send after the packet went
This issue often occurs when a device is replaced by an ASA. If the
speed and duplex values on the ASA interface are not the same as the values on
the adjacent device, packet drops occur on that interface. Check the speed and
duplex values on the ASA interface as well as the adjacent interface.
Check the show interface output of the ASA
for obvious errors that are symptoms of this problem:
When the ASA is configured to send traffic to the IPS module, the TCP
stream coalescing feature is engaged on the ASA. Refer to the Data Analysis section of this document for more
information on the TCP stream coalescing feature.
By default the ASA sets the TCP MSS option in the SYN packets to 1380.
Therefore, TCP endpoints should not transmit a TCP segment larger than 1380
bytes. This value is lower than the often default value of 1460 bytes and
represents a TCP performance drop of around six percent (6%). Performance might
improve is you increase the maximum MSS setting on the ASA or disable the MSS
adjustment. Before you modify the default command on the ASA, understand the
risks involved with regard to potential fragmentation if the packet is further
encapsulated in the path somewhere.