Slow traffic from inside to DMZ

Unanswered Question
Mar 28th, 2007

I'm having traffic performance issues on a PIX 515e, where traffic from inside to DMZ is considerably slower than traffice from DMZ to inside. Currently there is no filtering between the two interfaces (both set at 100). The only errors I could see were collisions, late collisions and deferred on the inside interface (e1). ...any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Wed, 03/28/2007 - 11:17

are you running code 7.x ?

can you try changing the speed to Auto

Also collisions suggest some sort of carrier disorder, can you change the cable and eliminate any L1/L2 issues

boondocker Wed, 03/28/2007 - 11:49

thanks ...I changed the speed from auto to 100/full and now the collisions are gone. I'm still having performance issues, when I copy a file from the dmz to the inside it takes 2 seconds, when copying the same file from the inside to the dmz it takes about 45 seconds (?) ...any more thoughts? ...also, I'm version 7.0

David White Wed, 03/28/2007 - 12:18

If you hardcode the interface on one side, then you MUST also hardcode it on the peer side. Speed can be sensed, but duplex must be negotiated.

The reason your collisions went away is that there are no collisions in a full-duplex environment. However, if you did not hardcode the peer to 100/full as well, then it will be doing half-duplex and you will have a duplex mismatch.

Setting both sides to 'auto' is typically your best bet, or you can hardcode BOTH sides to the same speed/duplex.

With the duplex issue resolved, if you are still seeing different rates of transfer I think the best thing to look at is both the syslogs as well as packet captures on both interfaces to see where the delay is coming from.

Sincerely,

David.

abinjola Wed, 03/28/2007 - 13:03

well i dont agree to David as setting hard speed on both sides do not yield best results (seen most of the times with Cat 6k and Pix)

so better set them to auto..

As far the latency is concern, can you tell me what kins a file transfer is this ?

do you have any policy set for that specific traffic in question...

also clear the asp drop and then while doing the transfer post the output of sh asp drop

boondocker Wed, 03/28/2007 - 13:26

I'm copying a 6meg. file from a computer on the dmz to a computer on the inside and through mapped drives doing the opposite. I have the dmz and inside interface security levels set to 100 with no policies. Output of asp drop:

flow is denied by acces rule 371

TCP RST/FIN out of order 1

TCP DUP and has be AcKed 68

FP L2 rule drop 4

Intercept unexpected packet 1

David White Wed, 03/28/2007 - 15:43

> well i dont agree to David as setting hard

> speed on both sides do not yield best results

Sorry, I did not mean to imply that. Hardcoding the speed/duplex on both adjacent endpoints should yeild the same exact results as setting both endpoints to 'auto'. If it does not, then it would be a bug. And yes, in the past there have been corner-case bugs in both catageories (hard-coding, and setting to auto). But those are typically well behind us in the past.

David.

Actions

This Discussion