BugZero | Cisco BugID CSCwe77123 - ASA/FTD : Degradation for TCP tput on FPR2100 via ...

Cisco - Defect ID: CSCwe77123

ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers

Cisco - Defect ID: CSCwe77123

ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers

Last updated on 12/18/2024

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

1) Degradation for TCP throughput via IPSEC VPN when there is delay between peers after ASA upgrade ++ Iperf3 test: 9.8(4)44: o Without delay: [ID] Interval Transfer Bitrate Retr [5] 0.00-10.00 sec 410 MBytes 344 Mbits/sec 497 sender [5] 0.00-10.04 sec 409 MBytes 342 Mbits/sec receiver o With delay: [ID] Interval Transfer Bitrate Retr [5] 0.00-10.00 sec 404 MBytes 339 Mbits/sec 618 sender [5] 0.00-10.04 sec 403 MBytes 336 Mbits/sec receiver 9.12(4)38: o Without delay: [ID] Interval Transfer Bitrate Retr [5] 0.00-10.00 sec 283 MBytes 238 Mbits/sec 40 sender [5] 0.00-10.00 sec 282 MBytes 237 Mbits/sec receiver o With delay: [ID] Interval Transfer Bitrate Retr [5] 0.00-10.00 sec 158 MBytes 132 Mbits/sec 67 sender [5] 0.00-10.03 sec 155 MBytes 129 Mbits/sec receiver 2) Only Single flow TCP download/upload is impacted. 3) Test over UDP/ICMP is not impacted

Conditions

FPR2100 installed with ASA version above 9.9(1)4 ++ 9.8(4)44 is not impacted ++ Anything above 9.9.2 is impacted

Workaround

1) Use of "asp load-balance per-packet" ref : https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ar-az-commands.html?bookSearch=true#wp3706713937 2)Reduce delay/latency for the VPN traffic between FPR2100 and it's peer.

Further Problem Description

None

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe77123

ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers

Cisco - Defect ID: CSCwe77123

ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers

Last updated on 12/18/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?