High amount of traffic on PIX

Unanswered Question
Oct 19th, 2008

I installed lately a new network interface on PIX-515E, and placed a Citrix server on this new interface(it is configured as DMZ)

since the movement, the application has showed a high delay when loading, and then working normally.

After several troubleshooting, i found that when the user opens a page in the citrix, the database that is kept in the inside ZONE, is upload data to the citrix server in the DMZ data in the rate of 70 to 90 Mbps.

I replaced the PIX with an ASA (100Mbps interfaces) and had the same result, on the upload period, its slow.

Can any1 advice how such a problem could be solved?

Does placing 1GB interfaces (by upgrading the SEC PLUS) on the ASA's inside and dmz zones could solve the delay?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Sun, 10/19/2008 - 22:26

whats the show conn count, show xlate count at that time ?

Show interface , is there any errors on the interface ?

Whats the version you running ?

jorjes1984 Mon, 10/20/2008 - 13:28

All requested info are already gathered:

Interface Ethernet0/0 "inside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Auto-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 001b.0c38.d240, MTU 1360

IP address 10.101.1.200, subnet mask 255.255.255.0

237071 packets input, 128292982 bytes, 210 no buffer

Received 2110 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

419774 packets output, 39542412 bytes, 140 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (0/27) software (0/0)

output queue (curr/max packets): hardware (0/255) software (0/0)

Traffic Statistics for "inside":

237040 packets input, 123477715 bytes

419914 packets output, 30148136 bytes

3005 packets dropped

1 minute input rate 108 pkts/sec, 6768 bytes/sec

1 minute output rate 255 pkts/sec, 11247 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 112 pkts/sec, 12140 bytes/sec

5 minute output rate 387 pkts/sec, 16755 bytes/sec

5 minute drop rate, 0 pkts/sec

pix# show int ethernet 0/0 1

Interface Ethernet0/1 "dmz", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 001b.0c38.d241, MTU 1360

IP address 192.168.101.200, subnet mask 255.255.255.0

106560 packets input, 14916301 bytes, 0 no buffer

Received 96 broadcasts, 0 runts, 0 giants

0 input errors, 187 CRC, 0 frame, 0 overrun, 187 ignored, 0 abort

0 L2 decode drops

140881 packets output, 120932768 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (1/25) software (0/0)

output queue (curr/max packets): hardware (0/17) software (0/0)

Traffic Statistics for "dmz":

106518 packets input, 12670912 bytes

140881 packets output, 118382448 bytes

72 packets dropped

1 minute input rate 6 pkts/sec, 722 bytes/sec

1 minute output rate 8 pkts/sec, 1879 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 10 pkts/sec, 1059 bytes/sec

5 minute output rate 12 pkts/sec, 7929 bytes/sec

5 minute drop rate, 0 pkts/sec

pix# show int ethernet 0/1

Interface Ethernet0/2 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)

MAC address 001b.0c38.d242, MTU 1500

IP address x.x.x.x subnet mask 255.255.255.248

10802 packets input, 7792101 bytes, 0 no buffer

Received 76 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

10365 packets output, 3044146 bytes, 0 underruns

0 output errors, 2 collisions, 0 interface resets

0 babbles, 0 late collisions, 28 deferred

0 lost carrier, 0 no carrier

input queue (curr/max packets): hardware (1/25) software (0/0)

output queue (curr/max packets): hardware (0/50) software (0/0)

Traffic Statistics for "outside":

10802 packets input, 7590644 bytes

10365 packets output, 2836525 bytes

287 packets dropped

1 minute input rate 1 pkts/sec, 243 bytes/sec

1 minute output rate 1 pkts/sec, 241 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 197 bytes/sec

5 minute output rate 0 pkts/sec, 101 bytes/sec

5 minute drop rate, 0 pkts/sec

abinjola Tue, 10/21/2008 - 07:17

you have lots of interface errors which could be responsible of latency/delay

jorjes1984 Fri, 10/24/2008 - 22:53

Helloo

well i went to the client yesterday and did the following test:

Upgraded an ASA to sec plus license, so i had 2 giga interfaces on ethernet 0 and ethernet 1

i plugged this 2 interfaces into giga interfaces of CISCO switch.

SO the inside and DMZ interfaces of the ASA are now operational on a 1 GB bandwidth, and still the same problem, the citrix/scala application opens sometimes fast(1-2 seconds)as it should be, and some times directly after the fast one, the same pages takes about 10-15 seconds to opens.

The number of connections on the ASA is aroung 90 connections at the time of the testing

The CPU is low.

PING from DMZ to Inside (and oppositE) is always < 1ms

Actions

This Discussion