ChrisFairley
IS-IT--Management
Hi.
We have an ASA 5520 running version 7.2(3), and yes I know that's old, but it has been fine, and up until a few months ago everything was good. We have a 100/100 internet connection, and if you do tests WITHOUT the ASA in place we can download a 100 meg file in 45 seconds. If you have the ASA in place it starts off downloading, pauses, downloads a bit more, and so on. After 45 seconds we'd managed 1%....
Show ASP drop has the following stats:
Frame drop:
Invalid encapsulation 142
No valid adjacency 7
Flow is denied by configured rule 267287
Invalid SPI 29
NAT-T keepalive message 68375
First TCP packet not SYN 19178
Bad TCP flags 56
TCP data exceeded MSS 1880
TCP data send after FIN 6
TCP failed 3 way handshake 542523
TCP RST/FIN out of order 7249
TCP SEQ in SYN/SYNACK invalid 435
TCP SYNACK on established conn 1360
TCP packet SEQ past window 5320
TCP Out-of-0rder packet buffer full 2551017
TCP Out-of-Order packet buffer timeout 337081
TCP RST/SYN in window 1582
TCP DUP and has been ACKed 18938980
TCP packet failed PAWS test 49945368
IPSEC tunnel is down 194
Slowpath security checks failed 93783
ICMP Inspect seq num not matched 1
ICMP Error Inspect different embedded conn 1
DNS Inspect invalid domain label 18
DNS Inspect packet too long 251
DNS Inspect id not matched 74739
FP L2 rule drop 13999
Interface is down 170
Dropped pending packets in a closed socket 47
Flow drop:
NAT failed 482
NAT reverse path failed 15242
Need to start IKE negotiation 96
Inspection failure 3126
SSL bad record detected 2
SSL handshake failed 6
SSL malloc error 7
does anyone have any thoughts as to what can be going on? We'e looking at replacing the firewall, but that's going to take a while with budget approvals, etc, so if I can fix the issue that would be even better!
Thanks
Chris
We have an ASA 5520 running version 7.2(3), and yes I know that's old, but it has been fine, and up until a few months ago everything was good. We have a 100/100 internet connection, and if you do tests WITHOUT the ASA in place we can download a 100 meg file in 45 seconds. If you have the ASA in place it starts off downloading, pauses, downloads a bit more, and so on. After 45 seconds we'd managed 1%....
Show ASP drop has the following stats:
Frame drop:
Invalid encapsulation 142
No valid adjacency 7
Flow is denied by configured rule 267287
Invalid SPI 29
NAT-T keepalive message 68375
First TCP packet not SYN 19178
Bad TCP flags 56
TCP data exceeded MSS 1880
TCP data send after FIN 6
TCP failed 3 way handshake 542523
TCP RST/FIN out of order 7249
TCP SEQ in SYN/SYNACK invalid 435
TCP SYNACK on established conn 1360
TCP packet SEQ past window 5320
TCP Out-of-0rder packet buffer full 2551017
TCP Out-of-Order packet buffer timeout 337081
TCP RST/SYN in window 1582
TCP DUP and has been ACKed 18938980
TCP packet failed PAWS test 49945368
IPSEC tunnel is down 194
Slowpath security checks failed 93783
ICMP Inspect seq num not matched 1
ICMP Error Inspect different embedded conn 1
DNS Inspect invalid domain label 18
DNS Inspect packet too long 251
DNS Inspect id not matched 74739
FP L2 rule drop 13999
Interface is down 170
Dropped pending packets in a closed socket 47
Flow drop:
NAT failed 482
NAT reverse path failed 15242
Need to start IKE negotiation 96
Inspection failure 3126
SSL bad record detected 2
SSL handshake failed 6
SSL malloc error 7
does anyone have any thoughts as to what can be going on? We'e looking at replacing the firewall, but that's going to take a while with budget approvals, etc, so if I can fix the issue that would be even better!
Thanks
Chris
