08-13-2009 09:02 AM - edited 03-11-2019 09:05 AM
We have PIX 515UR setup with 5 interfaces. Inside, Outside, DMZ1,DMZ2 and DMZ3. We have PIX configured to allow clients on inside interface (192.168.1.x) to access machines on DMZ3 (192.168.3.x). Using explorer in WinXP client, I open up window using admin share to a remote Win2000 server (\\192.168.3.3\c). Then I browse to a folder and copy/paste it to my local c: drive. The copy of a 10MB file may take 12 minutes?? If I plug my machine into the DMZ3 subnet and conduct the same test, it copies in 5 seconds. Simple test which indicates the PIX is the bottleneck. Anything configuration changes we can do to speed things up?
Our hardware is a PIX-515E with 32MB of RAM and CPU is a Pentium II 433 Mhz running PIX 6.3(5) software release.
Solved! Go to Solution.
08-13-2009 10:08 AM
Does this behaviour happens on other DMZs interfaces.. I recommend to first start ruling out physical connections config discrepancies, have you look at firewall DMZ3 interface stats for crc or other errors? check NIC settings or switchport stats for that server in DMZ3 .. if all these are not the issue, have a look at your PIX performance http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
but 10MB 12 minutes file copy sounds like packets are being dropped somewhere.
Regards
08-13-2009 10:08 AM
Does this behaviour happens on other DMZs interfaces.. I recommend to first start ruling out physical connections config discrepancies, have you look at firewall DMZ3 interface stats for crc or other errors? check NIC settings or switchport stats for that server in DMZ3 .. if all these are not the issue, have a look at your PIX performance http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
but 10MB 12 minutes file copy sounds like packets are being dropped somewhere.
Regards
08-13-2009 11:20 AM
Great question. I tested a file copy/paste from for one other DMZ and had NO problem. This is a good sign! I copied a 23MB folder with 435 files in 14 subfolders in less than 5 seconds.
This indicates the problem is not inherent in our PIX hardware as it's serveral years old). Here's some more INFO...
Interface 4 on the PIX is the DMZ we are having trouble with. This subnet exists exists because of a specific VENDOR application called TripPak (document mgmt system). What makes this subnet unique in our environment is it has a Vendor supplied and managed router (Cisco 2801)for establishing a secure tunnel from this subnet back to their corporate network. The server we are copying files/data is effectively a file server (192.168.3.3) running windows 2000 server. It's default route is to the vendor's router (192.168.3.2), NOT to the PIX interface (192.168.3.1).
You asked about interface stats. Below is "show interface 4" cmd output. Don't see any crc or other error's.
HQ515-Primary# show int 4
interface ethernet4 "trippak-dmz" is up, line protocol is up
Hardware is i82559 ethernet, address is 000d.8811.65ba
IP address 192.168.3.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
44759110 packets input, 1550253203 bytes, 0 no buffer
Received 100698 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
44863243 packets output, 1761523636 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/24)
output queue (curr/max blocks): hardware (0/30) software (0/1)
I'm beginning to think this is a routing issue delay within our Vendor's router. To test this,I placed static route on the file server:
ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.3.1 -P
to make sure traffic from that server went straight to the PIX interface and POOF the problem went away.
Thanks for steering me in the right direction. Case closed! Joe
08-13-2009 12:16 PM
Nice finding Joe, thanks for posting detailed outcome of the issue. +5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: