Latency caused by Firewall

Unanswered Question
Jul 16th, 2007


Installing two PIX-515E Firewalls (Failover Pair) on a customer site. The outside interface connects directly with a 10MBps link to the internet. When I am measuring throughput however, I am only getting an average of 2.5MBps download speed. When I remove the firewalls completely and connect a laptop directly to the same 10MBps internet line, I am getting average download speeds of 7MBps.

What sort of latency should I be expecting with the PIX-515E firewalls. There are no VPNs being used at present,so I am unable to explain the big difference in throughput

There is no QoS configured.

The Software version is 7.2(2)

I have powered off the Standby PIX just in case it was something to do with it - but it made no difference

Any ideas ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hburgos Mon, 07/16/2007 - 08:40

Wow that's a huge difference. Verify that the PIX's interfaces and the far-end switch/hub/device are both set to 100/full.


gglynn001 Tue, 07/17/2007 - 01:33


All interfaces set to 100Full.

It was the Global Service-Policy that comes as default with version 7.X

As soon as I turned it off

no service-policy global_policy global

Download and Upload speeds went up to averages of between 7MB and 8MB

Run the command "show asp drop" several times from the command line, and look to see if the out-of-order packet buffer full counter is rapidly climbing. If so, you are running into a limitation of the 7.X operating system (especially with the PIX). If you had an ASA, you could implement the workaround, but the PIX doesn't have the ability to implement the workaround.

** Please rate ***




This Discussion