Latency caused by Firewall

gglynn001 · ‎07-16-2007

Hi,

Installing two PIX-515E Firewalls (Failover Pair) on a customer site. The outside interface connects directly with a 10MBps link to the internet. When I am measuring throughput however, I am only getting an average of 2.5MBps download speed. When I remove the firewalls completely and connect a laptop directly to the same 10MBps internet line, I am getting average download speeds of 7MBps.

What sort of latency should I be expecting with the PIX-515E firewalls. There are no VPNs being used at present,so I am unable to explain the big difference in throughput

There is no QoS configured.

The Software version is 7.2(2)

I have powered off the Standby PIX just in case it was something to do with it - but it made no difference

Any ideas ?

hburgos · ‎07-16-2007

Wow that's a huge difference. Verify that the PIX's interfaces and the far-end switch/hub/device are both set to 100/full.

Hank

gglynn001 · ‎07-17-2007

Hi,

All interfaces set to 100Full.

It was the Global Service-Policy that comes as default with version 7.X

As soon as I turned it off

no service-policy global_policy global

Download and Upload speeds went up to averages of between 7MB and 8MB

srue · ‎07-17-2007

how much memory in the pix?

jwalker · ‎07-17-2007

Run the command "show asp drop" several times from the command line, and look to see if the out-of-order packet buffer full counter is rapidly climbing. If so, you are running into a limitation of the 7.X operating system (especially with the PIX). If you had an ASA, you could implement the workaround, but the PIX doesn't have the ability to implement the workaround.

** Please rate ***

Cheers.

Jay