Abundant internet speed causing packet loss/ loss connection

Hey Everyone,

So ill be the first to admit i suck when it comes to networking, however we seem to keep having issues and i am wondering if it could be something simple.

Right now we are using a CIsco ASA-5505 box for security in our remote locations, This is a 10/100 connection, base speed of internet in the area is now at a minimum of 200mbs, could the ASA box receiving a faster connection then it can support cause packet loss and temporary loss of connection?

No it will just not be able to throughput all the speed.

1 Like

Can you swap it out with pfSense or something?

That ASA is based on a 15 year old low power x86 CPU, and it’s not like Cisco cares to support it either.

6 Likes

Thanks you guys,

thats what i was thinking, but i wanted to play it safe and ask, i plan to petition our IT department to upgrade them, only downside will be budget, lol

We are a medical lab, so hippa is a big factor, not sure on a good alternative to offer. Most of our tech is way behind the times.

I thinking of asking our IT team to update to the ASA-5506X

I guess it is possible that the router is causing the loss but it isn’t because of the speed. Check your cabling too. Could also be a bad switch.

not sure why hippa would care about the router/firewall. It doesn’t need / nor should it mediate/facilitate any access to patient data. … On the other hand whatever policies you have put in place that reference your firewall setup might have something to do with it, but they don’t need to change.

Yes, that box is quite old and will not keep up with a 200 megabit connection. I doubt it will even keep up with 100 megabit of firewall throughput, depending on what level of inspection, routing, etc. it is doing. And most importantly, how many concurrent connections it is trying to process.

The symptoms you mention are a classic case of a router/firewall running out of CPU, and 200 megabit is definitely beyond the rate spec of that device.

Just because a router or firewall has 100 megabit interfaces (or faster on it), it doesn’t mean they can keep up with routing or firewalling with packet inspection going on at line rate. The box needs a fast enough CPU in it to do those things and the 5505 just doesn’t.

I’ve seen the exact same symptoms from doing things like upgrading Cisco 887 ADSL/VDSL routers to 100 megabit VDSL2 connections. The modem in them can do VDSL2, but the CPU in the box can’t keep up if you throw too many high speed connections at it (they’re only rated at 25 megabit IIRC) and basically it works for a bit, connections back up, it shits the bed and stops doing IP for a bit and drops packets until it processes its queue. Which then fills up again and repeats the process…

Classic test case is to fire up a torrent or other p2p downloader behind it (obviously the connections would need to be permitted out for this), the large number of connections at high speed will kill a router/firewall device that is short of CPU pretty quick.

The 5505 is also well out of support IIRC - and i’m pretty sure there are known flaws for the last version of the ASA software it supports. So you definitely have two pretty solid business cases for replacing it.

This would be the drop-in replacement, 5506-X series are rated at 300 megabit (from memory - check the spec sheet) and will do the job.

You’ll get better bang for buck out of something like pfsense however. But definitely, the 5506 will be the path of least resistance/easiest swap.

You may even be able to back up the 5505 and restore the config to the 5506x but i haven’t tried that.

You are basing that thinking on what?

The max rated IPSEC throughput for the 5505 is 100 megabit
The max rated inspection (non ipsec) throughput for the 5505 is 150 megabit.

as per:

There are also fairly low maximum connection count limits which you may possibly be exceeding if you now have a high speed link and usage patterns behind it have changed.

in any case, box is running known compromised firmware and likely no longer doing a proper job of being a firewall. It needs replacement… :slight_smile:

Thank you so much for this,

I am not 100% on why we use a physical firewall device, as i mentioned in original post, networking is definitely not something im good at, i am assuming its in part of just how are systems were developed (our lab is a little unique and all of our systems both hardware and software wise were configured/developed by our IT department, since at the time nothing existed to be purchased. but our phone system and computer systems for each work station are routed through individual 5505s in our remote locations, then they are routed through our main firewall/servers in 2 physical locations.

i hope that provides some additional information to try and help. I was thinking the direct swap in option would be the best route only because it will be less of a “hassel” on company resources.

Sounds like you’re linking sites together with VPN over the internet, so those ASAs will be doing IPSEC and limited to 100 megabit if that.

I agree in your situation, replacing all the 5505s with 5506x is probably the easiest way to go. You’re basically replacing with the same device with updated spec and warranty/support.

Thanks very much, now if the 5506x’s got through i can focus on getting them to update the sytems i3’s with standard HDD’s and only 8 gigs of ram are not near enough for all the programs we have to run at once.

Standard disclaimer: i’d suggest maybe talking to a CISCO vendor to ensure that the 5506x will indeed cover your requirements. I think they’re good for 300 megabit of encrypted throughput off the top of my head but you may have other requirements in your environment…

Lol, yeah i reached out to cisco to verify what was the best alternative. The 5506x’s have the following info

Maximum AVC and NGIPS throughput : 125 Mbps
Cisco Cloud Web Security users: 275
Operating Acoustic Noise: Fanless 0 dBA
Maximum application visibility and control (AVC) throughput: 250 Mbps
Maximum 3DES/AES VPN throughput: 100 Mbps
Maximum site-to-site and IPsec IKEv1 client VPN user sessions: 10 / 50

Hmm interesting. I thought they were faster than that.

You’ll need something bigger to get full speed on your links it seems.

Yes it is definitely not ideal, one other issue i have with it is how they have us do the config. They have us going from modem to asa to local router, which means our local networks can only access what the ASA is capable of outputting, which is not what we are having to pay for, lol.

I am almost tempted to try modem to local router, to ASA and see if i can still get the secure vpn connection through ASA