Performance Issue behind ASA 5520

Similar Messages

• Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

  Recently i have installed ASA 5520 firewall, Below is the detail for my network
  ASA 5520 inside ip: 10.12.10.2/24
  Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
  Cisco Call Manager 3825 IP: 10.12.110.2/24
  The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
  the Default Gateway for Data user is 10.12.10.2/24 and
  for the voice users is 10.12.110.2/24
  now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

  Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
  ASA Version 8.2(1)
  name x.x.x.x Mobily
  interface GigabitEthernet0/0
   nameif inside
   security-level 99
   ip address 10.12.10.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.252
  object-group service DM_INLINE_SERVICE_1
   service-object tcp-udp
   service-object ip
   service-object icmp
   service-object udp
   service-object tcp eq ftp
   service-object tcp eq www
   service-object tcp eq https
   service-object tcp eq ssh
   service-object tcp eq telnet
  access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
  access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu mgmt 1500
  ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
  ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-641.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 Inside-Network 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 Mobily 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Mgmt-Network 255.255.255.0 mgmt
  http Inside-Network 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  telnet Inside-Network 255.255.255.0 inside
  telnet timeout 5
  ssh Inside-Network 255.255.255.255 inside
  <--- More --->              ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 86.51.34.17 8.8.8.8
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RA_VPN_splitTunnelAcl
  username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
  tunnel-group RA_VPN type remote-access
  tunnel-group RA_VPN general-attributes
   address-pool VPN-Users
   default-group-policy RA_VPN
  tunnel-group RA_VPN ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
  : end

• ASA 5520 RA VPN performance

  I need to configure RA VPN in ASA 5520 for about 100 mobile users.set up is
  Mobile users----->internet cloud------->1mbps.router1---->ASA---->inside n/w-----router2.8mbps-------->MPLS cloud---->512 mbps.eight Branches
  router1, asa, router 2 are in data centre and branches are connected via mpls.
  Remote users want to access their own application, file share and mail in their respective branch network.No internet connection on branches.So all users have to come to data centre and through mpls they reache their branch network.what could be the performance and any issue?

  I would pay close attention on bandwidth more than anything else, it would all depend on what type of traffic the 100 RA mobile users will be using at any given time that be traversing a 1meg pipe, for example 1 single RA user may copy 1 gig file from corporate server or vise versa which can saturate that pipe. You would have to create some sort of baseline on all link points before RA implementation to sort of get you a picture of current link utilization to plan accordinly and worry about bandwidth performance and plan accordingly.
  Rgds
  Jorge

• Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

  I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
  I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
  I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
  Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
  My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
  Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

  After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
  I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
  I may have to live with it but the inconsistency is what really bothers me.
  Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
  Anything obviously  missing - new command or anything?   Xlates causing issues?

• What happened to PDF document 22040 – "PIX/ASA: Monitor and Troubleshoot Performance Issues"?

  Hi, does anyone knows what was happened to the following PDF notes in Cisco? The PDF file is only contains 1 page compared to the original notes in html format which is about a few pages.
  If there is alternative link for this document, please let me know. Thanks.
  Document ID: 22040
  PIX/ASA: Monitor and Troubleshoot Performance Issues
  http://www.cisco.com/image/gif/paws/22040/pixperformance.pdf <PDF Notes, but 1 page only?>
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml  < HTML Notes>

  Hi experts / marcin
  can anyone of you let me know about my question related to vpn ?
  Jayesh

• Cisco ASA 5520 (asa 8.2) hairpinning

  Hi All,
  We have a ASA 5520 (redundant) in our network which we are using for different customers. For every new customer we create a new VLAN and place their servers in this VLAN. On the ASA we create a new subinterface for every customer which is connected to the corresponding VLAN.
  Most customers get a private ip-range (e.g. 192.168.x.x/24) on which they should configure their servers. Because most customers don't need to be to access eachothers server all VLAN interfaces have the same security-level of 50. I haven't enable the "same-security-traffic permit inter-interface" option, so traffic between those interfaces is blocked, as expected.
  Some customers (e.g. customer A) need public webmail of smtp access to there servers. So we use both NAT and PAT to make that happen.
  So, recently we've got a customer (customer B) who placed their webservers behind our ASA. Because we didn't want to use NAT statements all the time, we dediced to configure a public /29 subnet on their VLAN. Because the website on this customer's servers need to be visible for everybody, we've lowered the security-level of this VLAN interface to 40 (instead of 50) and applied some ACL's. So other customers (e.g. customer A) are also able to reach the websites of customer B. So everything is just working fine.
  Now, customer A decided that they want to run their website on their own servers as well. So, I created a static PAT for TCP 80. So the website is accessible from the outside world. But.....customer B is not able to reach customer A's website on the translated address. So, I've created a second PAT (using the same public address) but this time to customer B's interface. But still, we're not able to reach customer A's website.
  I've also enabled the "same-security-traffic permit intra-interface", but still the website is unreachable to customer B.
  Here's a small drawing of the situation:
  The ip-addresses are, of course, not real.
  Can anybody place help me with this issue?

  That's a very cool command that I didn't know about.
  I see that the packet is drop at phase 7 (NAT-EXEMPT).
  Phase: 7
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: DROP
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x74455b60, priority=6, domain=nat-exempt-reverse, deny=false
          hits=61, user_data=0x744558f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
          src ip=Cust_B_LAN, mask=255.255.255.240, port=0
          dst ip=Cust_A_LAN, mask=255.255.255.0, port=0, dscp=0x0
  Result:
  input-interface: Cust_B
  input-status: up
  input-line-status: up
  output-interface: Cust_A
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  I seemed that I had a nonat rule messing the communication between these interfaces. After removing it, the traffic was flowing just fine.
  Thanks for your support.
  Ron

• ASA 5520 with multiple contexts becomes unresponsive

  Hi all. We have encountered a perculiar problem with a pair of our ASA 5520 firewalls with 2 contexts(each context being active on different ASA). What we are seeing is that sometimes when we have a sudden increase of inbound traffic(mostly HTTP) towards servers behind the firewalls they seem to go bananas for the lack of a better expression.
  They become unaccessible via ssh and the traffic drops significantly. The problem is mitigated by disabling one of the monitored interfaces for failover(on one of the switches the firewall is connected to) so that both contexts become active on one firewall. After that the firewalls seem to come to their senses and we can enable the switch interface again but sometimes one of the pair needs to be rebooted to restore full funcionality.
  To us it seems like there is a problem with failover and contexts but we haven't been able to pin it down. The failover link isn't stateful and when we tested the failover it works fine both ways with each ASA taking up the full load when the other ASA of the pair is not available.
  Did anyone come across a similar situation with their firewalls?

  We are using ASA version 8.2(5).
  The configuration of the failover is:
  failover
  failover lan unit primary
  failover lan interface fail_int GigabitEthernet0/3
  failover interface ip fail_int x.x.x.x 255.255.255.252 standby x.x.x.x
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  Output of the "show failover":
    This host:    Primary
    Group 1       State:          Active
                  Active time:    399409 (sec)
    Group 2       State:          Standby Ready
                  Active time:    111 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    398992 (sec)
                  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                    admin Interface out (x.x.x.x): Normal (Waiting)
                    admin Interface inside (x.x.x.x): Normal (Waiting)
                    admin Interface dmz4 (x.x.x.x): Normal
                    admin Interface dmz1(x.x.x.x): Normal (Not-Monitored)
                    C1 Interface out (x.x.x.x): Normal (Waiting)
                    C1 Interface inside (x.x.x.x): Normal (Waiting)
                    C1 Interface dmz5 (x.x.x.x): Normal
                    C1 Interface dmz1 (x.x.x.x): Normal (Not-Monitored)
                  slot 1: empty
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  When I disabled the monitored interface it was always the same interface altough I believe the same effect could be achieved with disabling any of the monitored interfaces.
  As for memory and CPU when it happens I cannot access the units to get a reading but I asume it's through the roof. 
  The thing that troubles me more is that the situation persists when the load drops and I have to perform the solution from the first post. One would assume that with the drop of the load that both firewalls would start to behave normally.
  And I see that I haven't mentioned it before but when the load drops both units continue to handle traffic normally but I sometimes see as a side effect that I cannot SSH to one of the units. That unit usually has to be restarted.

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• DHCP question on VPN to ASA 5520

  Our VPN uses the Microsoft VPN client to connect to an ASA 5520 running 8.0(3). Clients get address from our internal DHCP server. How do I get the ASA to send the client computer name in the DHCP request, rather the the group name and some number it appends to it? This is an issue for us because those entries show up as "rogue" registrations in DNS, because they don't match our naming structure.

  Make sure if the client is forwarding it's name in the DHCP messages. Parameters can't be added at ASA.

• SQL Server 2000 std Report Performance Issue

  Dear All,
  I have a VB based desktop application with back end MS SQL server 2000 database with server machine ibmx5650 with specs intel xeon 2.7GHz (24 CPU's) & 24GB RAM.
  There are two things i need help:
  Recently we have upgrade the SQL server from 2000 personal edition to the 2000 standard edition. There comes a problem with one of the Report in the application. The report took almost 30 mins previously in SQL 2000 personal edition.But after the upgrade
   to Standard edition we are unable to view report before 3 hours even sometimes it doesn't appear after several hours.
  Secondly for brief testing i have installed the personal edition on a simple PC rather then a server PC specs are corei5 & 4 GB of RAM. The same report is generated in only 15 mins from the application with this desktop machine as DB server.
  Please help me out i have gone through all SQL Server & system performance log of my server machine everything is normal but the report is taking too long & i can only generate that report from personal edition.
  Is there the difference due the higher corei5 processor in desktop machine or there is any other issue behind this.
  Your prompt response is highly appreciated.
  Regards,
  Rashid Ali

  Hello,
  SQL Server 2000 is not support since 2013. Please upgrade to SQL Server 2012 to get better performance and support.
  Thanks for your understanding and support.
  Regards,
  Fanny Liu
  Fanny Liu
  TechNet Community Support

• ASA 5520 VERSION 8.2 UPGRADE TO 9.0

  Hello friends,
  I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
  NAT Rules.
  RAM Memory: 2 GB.
  Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
  L-ASA-AC-E-5520= ASA-AC-M-5520=
  am I missing any other thing? Flash requirement? Or to pay attention to some other configurations? 
  Any comment or documentation will be appreciated.
  Regards!

  You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current  8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
  That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
  Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).)

• Performance issues in Proxy-XI-Jdbc scenario

  Hello,
  I have developed a proxy to JDBC synchronous scenario.
  My scenario works like this.
  *i run an abap program which calls a client proxy,
  the proxy fetches the data from database table and returns the data in the ABAP program.(select query)
  there are serious performance issues when we are running the report
  it is taking around 2-5 minutes and at times multiple users are logged in , it takes around 5-20 minutes.
  it seems that most of the time is consumed in the data fetching.
  please help me to find some solution so that we can fine tune the performance on the PI side.
  Are there any options on JDBC CC which can help  us in making the queries faster
  thanks
  kannu.

  Kanu16 ,
  Issue seems to be at r/3 end..
  1. Make sur ethat report program is using select query in proper fashion .
  2. avoid using nested loops.
  3.  Hope not much validations are being done on selected data .
  Abaper can help you optimizing this .
  By debugging you can find out the exact reason behind.
  Regards ,

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• DB Performance issue

  Hi DB Gurus,
  Our application is inserting 60-70K records in a table in each transaction. When multiple sessions are open on this table user face performance issues like application response is too slow.
  Regarding this table:
  1.Size = 56424 Mbytes!
  2.Count = 188,858,094 rows!
  3.Years of data stored = 4 years
  4.Average growth = 10 million records per month, 120 million each year! (has grown 60 million since end of June 2007)
  5.Storage params = 110 extents, Initial=40960, Next=524288000, Min Extents=1, Max Extents=505
  6.There are 14 indexes on this table all of which are in use.
  7. Data is inserted through bulk insert
  8. DB: Oracle 10g
  Sheer size of this table (56G) and its rate of growth may be the culprits behind performance issue. But to ascertain that, we need to dig out more facts so that we can decide conclusively how to mail this issue.
  So my questions are:
  1. What other facts can be collected to find out the root cause of bad performance?
  2. Looking at given statistics, is there a way to resolve the performance issue - by using table partition or archiving or some other better way is there?
  We've already though of dropping some indexes but it looks difficult since they are used in reports based on this table (along with other tables)
  3. Any guess what else can be causing this issue?
  4. How many records per session can be inserted in a table? Is there any limitation?
  Thanks in advance!!

  Run STATSPACK and check what it says are the issues. Try and find the particular INSERT statement in the list of all SQL. Look at all the sections of the report, including block contention, which may show you are waiting for data blocks or index blocks, etc, or even things like latch contention too. Make sure you run it when the INSERT is happening during one of your busy periods.
  Given that you are using Oracle 10g, I assume you are using all the automatic settings now:
  o Local Tablespace Management
  o Automatic Segment Space Management
  o Automatic Undo Management
  If not, you should be. Prior to all this, Oracle always inserted into the last block in a table, which could become a bottleneck point. And space allocation of new blocks was also a problem. When these settings were introduced it alleviated most of these problems, and meant that Oracle could scale far better on such INSERT intensive workloads. If you are not using these for some reason or other, then you need to look at the number of FREELISTS you have on the table, and the setting of INITRANS.
  Also, how many columns does this table have? And how big is an average row. And what is your block size? You can get these from the data dictionary:
  select count (*) from user_tab_columns where table_name = '<tablename>' ;
  select avg_row_len from user_tables where table_name = '<tablename>' ;
  show parameter db_block_size
  Replace <tablename> with the name of your table, in uppercase.
  I ask because a very large row in a small data block will always fill the block quickly and cause new blocks to be allocated. If so, you may just have to live with this.
  And I would be suspicious about all 14 indexes being needed. Are they all single column indexes, or do you have any multi-column indexes? Do any of them share the same leading columns? Again, if you need all 14 indexes, then you must suffer the overhead of maintaining these indexes. But unless you have something like 50 columns in this table, I would guess that there is some overlap between these indexes.
  John

• Performance issue in guest access anchored in DMZ

  Hello,
  I've been having performance issue in our wifi guest network anchored in the DMZ.
  I have 3-5508 anchor controllers behind the Checkpoint gaia firewall and have 24 guest SSIDs in here.
  Right now, only 14 guest SSIDs are enabled and tunnelled out in this anchor DMZ setup, whenever I try to add few more SSIDs I run into performance issue.
  It seems to me that the problem is not about these additional SSIDs that I add because the performance issue starts to appear only when the traffic peaks or associated clients reached to certain number which is in my case 4000 users.
  The firewall serves as the NAT device and gateway for all these guest SSIDs. The cpu, memory, number of connections have been checked and verified low.
  Has anyone seen a problem like this? or has a setup like mine?
  thanks!

  Presuming you're not exceeding client count maximums on the individual WLCs I can't say I've seen anything in line with this "specific problem", but anything is possible.
  What are the specific "performance issues" the clients are experiencing?  Is it just general poor performance (slow web browsing/etc) or do you see other issues like no internet connectivity at all or something else?
  May I ask, what is the use-case behind having 24 SSIDs on your anchors?