Slow Windows file copies and ftp

Unanswered Question
May 14th, 2007
User Badges:

We have a pair of redundant 515e firewalls. A couple months ago users started complaining of slow performace between network segments. The common denominator seems to be segments seperated by the PIX's. We also discovered if we try to FTP files from the inside interface to anything on the outside interface (dmz or on the Internet), the speed drops to about 12 KB/s. No matter what we FTP to on the outside, we never get above 12 or 13 KB/s. I noticed similar performance when we try to do a Windows file copy from a workstation on the inside interface to a Windows box on the outside interface.

I read a few posts on various forums, and subsequently changed the ports from auto to 100/full on the PIX's and the switch. That did not help.

I upgraded the firewalls to 7.2.1 in January, but can't remember from what. It was 6.something, but I don't remember exactly what. Complaints started coming in around March, so it might be unrelated. I upgraded the PIX to 7.2.2 this weekend, but that did not change the behavior.

Any suggestions?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dbouthillier Tue, 05/15/2007 - 07:46
User Badges:

Thanks for helping. Here is the config on the PIX. I attached it, because I didn't want to cut anything out that might be helpful.


travis.wright Tue, 05/15/2007 - 09:32
User Badges:

When you say that you are transferring a file from the inside to the outside and it is slow,.. what exactly is on the outside? Are you uploading a file to a known host on the public internet or a private host that is 1 hop away from the outside interface?

dbouthillier Tue, 05/15/2007 - 09:38
User Badges:

Both. I test to a FTP server in our DMZ (between the pix and our Internet router), and a public FTP server at my home. The transfer speeds are the same. I can't do Windows file copies to the box at home, but Windows file copies display similar speeds to our DMZ FTP server. The DMZ ftp server is connected to a the same CISCO switch that the PIX is connected to.

The ports for the PIX and the FTP server are forced to 100/Full and show no errors.

Again thanks,


hoogen_82 Mon, 05/14/2007 - 23:22
User Badges:
  • Silver, 250 points or more

Try a ping test, ping your other side ip address from your PC/Host using the option ping -l 1500 -f

You should see something like "Packet needs to be Fragmented but DF set"

Try lowering the size of the packet from 1500 to 1400 and then slowly check when your Host ping. Once you start getting the replies give the command sysopt connection tcpmss

Then check on your speed again.



dbouthillier Tue, 05/15/2007 - 07:39
User Badges:

Thanks Hoogen. I tried that, but it did not seem to help the problem. FTP to our DMZ server on the outside interface is still between 12 and 15 KB/s.

cpembleton Tue, 05/15/2007 - 10:57
User Badges:
  • Silver, 250 points or more

Did you check for Interface errors on the inside interface and the switchport it is connected to?

sh interface "interface"



dbouthillier Tue, 05/15/2007 - 13:04
User Badges:

Yes I did. There are not errors on any of the interfaces or associated switch ports.

dbellaze Tue, 05/15/2007 - 15:44
User Badges:
  • Bronze, 100 points or more

Does a sniffer capture reveal any obvious performance issues? Retransmissions etc?



This Discussion