ACE Slowness

Unanswered Question
Feb 16th, 2010
User Badges:

I have ACE 4710 which is connected at the center of the network and ACE connected to the LAN and outside connected to the Firewall where my DMZ is connected.

Whatever traffic is passing from inside to DMZ it is getting slow. When I pass the ACE things are started working fine.

My ACE is only redirecting the port 80 traffic towards the proxy server. I have bypass the Application Server located in DMZ ( subbet) and inside Subnet from redirection.

But when application server connected in DMZ ( talks with SQL server and subnet it get stuck and taking too much time to fetch the data. But when directly connected it is working fine.

I have no access-list in ACE, only load balancing and redirection of port 80 is configured in the ACE.

I have checked the FTP setup, directly connected with Firewall FTP is excellent but when i introduce the ACE it is taking same slowness and very very low throughput.

Attached is configuration of the ACE. I have checked teh switching part of the network it is fine and firewall part also because only when ACE is coming in network I am facing slowness.

ACE has default route towards Firewall and static route towards teh core switch connected to the internal network.

Please let me know where i am missing and how to avoid this slowness. I m complete network from internal sever to dmz server are gigabit ethernet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 02/17/2010 - 00:40
User Badges:
  • Cisco Employee,

The only way to troubleshoot a problem of slow traffic is to capture the traffic in front of the ACE and see what is going


Check where the delay is coming from. Is it on the side ace->server or client ->ace or ????

Once we know the direction we can start looking at the config.

Also make sure the return traffic does not bypass the ACE.  Asymetry is often a reason of bad performance.

Start with a basic config with nor extra feature (compression, ssl encryption, inspection,....) and see if you get better performance than add more feature and see which one impact the performance.

But first, get the sniffer trace.


wasiimcisco Thu, 02/18/2010 - 08:58
User Badges:

I did the capture from to and the following attached output came.

ccess-list cap line 8 extended permit ip host any
access-list cap line 16 extended permit ip host any

ENOCDC-ACE01/Rack1# show capture cap status
Capture session : cap
Buffer size     : 5000 K
Circular        : no
Buffer usage    : 99.00%
Status          : stopped

I have attached the log for your review. When user open the main page of application it is working fine attached log.

After when the click on the links on teh application web page and query goes to SQL database, it got stuck attached log of SQL.

Gilles Dufour Mon, 02/22/2010 - 02:12
User Badges:
  • Cisco Employee,

We need a libpcap (ethereal/wireshark) trace file.

Text is too hard to read and analyse.

Also, you should probably do the capture with a different device than the ace itself.

If you suspect ace to be the problem, capturing on ace will just probably show you the vision of ace which could be wrong.



This Discussion