cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
319
Views
5
Helpful
3
Replies

Performance problem copying files between PIX515 subnets

joe-campbell
Level 1
Level 1

We have PIX 515UR setup with 5 interfaces. Inside, Outside, DMZ1,DMZ2 and DMZ3. We have PIX configured to allow clients on inside interface (192.168.1.x) to access machines on DMZ3 (192.168.3.x). Using explorer in WinXP client, I open up window using admin share to a remote Win2000 server (\\192.168.3.3\c). Then I browse to a folder and copy/paste it to my local c: drive. The copy of a 10MB file may take 12 minutes?? If I plug my machine into the DMZ3 subnet and conduct the same test, it copies in 5 seconds. Simple test which indicates the PIX is the bottleneck. Anything configuration changes we can do to speed things up?

Our hardware is a PIX-515E with 32MB of RAM and CPU is a Pentium II 433 Mhz running PIX 6.3(5) software release.

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Does this behaviour happens on other DMZs interfaces.. I recommend to first start ruling out physical connections config discrepancies, have you look at firewall DMZ3 interface stats for crc or other errors? check NIC settings or switchport stats for that server in DMZ3 .. if all these are not the issue, have a look at your PIX performance http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

but 10MB 12 minutes file copy sounds like packets are being dropped somewhere.

Regards

Jorge Rodriguez

View solution in original post

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

Does this behaviour happens on other DMZs interfaces.. I recommend to first start ruling out physical connections config discrepancies, have you look at firewall DMZ3 interface stats for crc or other errors? check NIC settings or switchport stats for that server in DMZ3 .. if all these are not the issue, have a look at your PIX performance http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

but 10MB 12 minutes file copy sounds like packets are being dropped somewhere.

Regards

Jorge Rodriguez

Great question. I tested a file copy/paste from for one other DMZ and had NO problem. This is a good sign! I copied a 23MB folder with 435 files in 14 subfolders in less than 5 seconds.

This indicates the problem is not inherent in our PIX hardware as it's serveral years old). Here's some more INFO...

Interface 4 on the PIX is the DMZ we are having trouble with. This subnet exists exists because of a specific VENDOR application called TripPak (document mgmt system). What makes this subnet unique in our environment is it has a Vendor supplied and managed router (Cisco 2801)for establishing a secure tunnel from this subnet back to their corporate network. The server we are copying files/data is effectively a file server (192.168.3.3) running windows 2000 server. It's default route is to the vendor's router (192.168.3.2), NOT to the PIX interface (192.168.3.1).

You asked about interface stats. Below is "show interface 4" cmd output. Don't see any crc or other error's.

HQ515-Primary# show int 4

interface ethernet4 "trippak-dmz" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.8811.65ba

IP address 192.168.3.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

44759110 packets input, 1550253203 bytes, 0 no buffer

Received 100698 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

44863243 packets output, 1761523636 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/24)

output queue (curr/max blocks): hardware (0/30) software (0/1)

I'm beginning to think this is a routing issue delay within our Vendor's router. To test this,I placed static route on the file server:

ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.3.1 -P

to make sure traffic from that server went straight to the PIX interface and POOF the problem went away.

Thanks for steering me in the right direction. Case closed! Joe

Nice finding Joe, thanks for posting detailed outcome of the issue. +5

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: