PIX 515E Speed problems

Unanswered Question
Sep 29th, 2008

Hello all


We have recently upgraded our Internet capacity to 100/100 from 10/10.


Problem is that we only get 50Mbit upload, 10-13 Mbit download.


I got those results having the PC behind the pix. I also moved the laptop outside the firewall and got 80/80 Mbit.


The PIX interfaces is at 100FULL with no collisions / errors at all


The inside interface is connected to an cisco 3560, no collisions there and that interface is at 100Full too.


The switch on the "outside" is our ISP.

Thats the switch I connected my laptop into and got 80/80.


I'm gonna try and switch port in the ISP switch and change cable when I do my next planned night work. But does anyone else have any good ideas on what could be capping the speed in the PIX otherwise?


MTU 1500


I've also checked the LED's on the ISP switch and they indicate all ports @ 100Full..


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Mon, 09/29/2008 - 06:32

If you are using an internet website for testing speed,I would say they are not so reliable when behind the pix/asa.


You should use your isp's ftp server for testing the upload / download when behind pix and bypassing it.It would give u a fair idea what the REAL speed is.


I can tell you many people use the online tests and they never get true results when being behind a firewall.


If you want to confirm,take captures on ingress and egress interface of firewall and check the timestamps corresponding to the packets....you would not see any latency introduced by the firewall.




Regards,

Sushil

Matthew Warrick Mon, 09/29/2008 - 08:38

I have also done extensive speed tests with 515Es and they always report very poorly for me as well. Not really sure the reason for this but I finally replaced mine with a router running NAT. Performance increased after 6.3(5) to 7.0(8) upgrade but still doesn't approach my 3620 router in terms of the test results.

suschoud Mon, 09/29/2008 - 08:49

Please try a speed test that does not include an online http speed test system. The

problem with these are:


- They use a small amount of traffic to interpolate the throughput.

- It is using http, which the pix must inspect, and if those packets are out of order they

might be dropped.

Also, there is no way to mitigate the drop problem due to the out of order packets, short

of disabling the http fixup.


So, please do the following:


1) Determine if your ISP has a speed test system that uses a protocol like FTP

2) Determine if your ISP has a speed test system that has a download of a larger length

3) Put a pc on the outside of the PIX and do a FTP transfer to that PC directly outside

the pix. This will help to determine if the pix is causing the slowdown.




Regards,

Sushil


azore2007 Mon, 09/29/2008 - 13:46

Thanks for all the replies.


I've done some download testing and only got the speed to max at 500-600 kB/s.


Going to try some ftp/torrent action tomorrow and having the PC outside the PIX

Actions

This Discussion