Salve, ho un problema molto strano nella mia azienda, abbiamo 2 sedi con 2 router 837 2 due asa 5505.
L'interfaccia outside dei 2 asa ha 2 ip pubblici, questi sono configurati utilizzando un tunnel ipsek. Il problema è che dopo due o 3 giorni di uptime le velocità di download e upload scendono da 4Mbit/1Mbit (reali) fino a 0.3Mbit/0.5Mbit. Facendo un reload la situazione non cambia molto, mentre tenendo spento l'ASA per qualche minuto la linea torna ad avere le massime prestazioni. Avete qualche idea? Grazie anticipatamente per la risposta. Questo è lo sh ver: Cisco Adaptive Security Appliance Software Version 8.0(5) Device Manager Version 5.2(4) Compiled on Mon 02-Nov-09 21:22 by builders System image file is "disk0:/asa805-k8.bin" Config file at boot was "startup-config" Mentre questo è lo sh run: ! interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.190 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa805-k8.bin ftp mode passive same-security-traffic permit intra-interface access-list outside_in extended permit icmp any any access-list outside_in extended permit tcp any any eq domain access-list outside_in extended permit tcp any any eq ftp-data access-list outside_in extended permit tcp any any eq ftp access-list outside_in extended permit tcp any any eq www access-list outside_in extended permit tcp host x.x.x.120 any eq 3389 log access-list outside_in extended permit tcp 192.168.0.0 255.255.255.0 any eq 3389 access-list outside_in extended permit tcp any any range 40000 40500 access-list lantolan extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list lantolan extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0 inactive pager lines 24 logging enable logging timestamp logging monitor informational logging buffered informational logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list lantolan nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 1 192.168.100.0 255.255.255.0 static (inside,outside) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.255 static (inside,outside) tcp interface ftp-data 192.168.2.3 ftp-data netmask 255.255.255.255 static (inside,outside) tcp interface ftp 192.168.2.3 ftp netmask 255.255.255.255 oute outside 0.0.0.0 0.0.0.0 213.203.133.189 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set VPNbartolini esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map VPNbartolini 1 match address lantolan crypto map VPNbartolini 1 set peer x.x.x.186 crypto map VPNbartolini 1 set transform-set VPNbartolini crypto map VPNbartolini interface outside crypto ca trustpoint localtrust enrollment self fqdn sslvpn.cisco.com subject-name CN=sslvpn.cisco.com crl configure crypto ca certificate chain localtrust certificate f6de114d 308201ef 30820158 a0030201 020204f6 de114d30 0d06092a 864886f7 0d010104 0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31 1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d 301e170d 31303132 32323131 32303232 5a170d32 30313231 39313132 3032325a 303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30 1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a1 ba94cc37 af36a2e0 7aa1b95b 19308b10 b1f37244 2842e775 57aea451 e3cedcaf 8c282196 b86612eb 9dbc1f3b 2f81cac3 757630ab b3142874 02130a04 de7f688d e41f0341 c98d57da 937bb05d f9ae8450 61d43025 dca80a9f 0bc4f2ea 25c38816 2e58452c c788b6a9 11a4e90c 1e413833 c93a4601 6753b7ad 1b2c7ccf e38f7902 03010001 300d0609 2a864886 f70d0101 04050003 81810074 3956a2d5 4e61aea8 0dd0b6d4 0e500adb 45a85b95 cb3ced93 b759b087 4e188544 6fed6845 f574f3f6 bcca8fcc accbd6ae 8c245de2 673d5697 b33aa74e 02373421 86405906 087a25eb fb96ba2d cd8c59ac 9eb55f62 72242045 2e3f145c b3889aa0 c53de7e7 d18657e4 5b9ec57b e8496d4f b92219bc 7e701ae1 3f6f4ac7 31475b quit crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share hash sha group 2 lifetime 43200 no crypto isakmp nat-traversal telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh x.x.x.120 255.255.255.255 outside ssh 192.168.150.0 255.255.255.0 outside ssh 192.168.100.0 255.255.255.0 outside ssh 192.168.1.0 255.255.255.0 outside ssh 192.168.0.0 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 management-access inside dhcpd dns 8.8.8.8 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point localtrust outside enable outside svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1 svc enable tunnel-group-list enable group-policy SSLCLientPolicy internal group-policy SSLCLientPolicy attributes dns-server value 192.168.2.3 8.8.8.8 vpn-tunnel-protocol svc address-pools value SSLClientPool username vpnuser password M87GmyXUOxAeiuI5 encrypted username vpnuser attributes service-type remote-access username cisco password eGsW4UoBfwxpXum1 encrypted tunnel-group x.x.x.186 type ipsec-l2l tunnel-group x.x.x.186 ipsec-attributes pre-shared-key * tunnel-group SSLClientProfile type remote-access tunnel-group SSLClientProfile general-attributes default-group-policy SSLCLientPolicy tunnel-group SSLClientProfile webvpn-attributes group-alias SSLVPNClient enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp ! service-policy global_policy global prompt hostname context Cryptochecksum:edbb672cf623e21592df6596622ef91a : end
_______________________________________ Articoli CISCO: http://www.areanetworking.it/category/cisco Cug mailing list [email protected] http://lists.ml.areanetworking.it/cgi-bin/mailman/listinfo/cug Servizio ML offerto da Ehiweb.it - http://www.ehiweb.it/
