05-14-2007 08:57 AM - edited 03-11-2019 03:13 AM
We have a pair of redundant 515e firewalls. A couple months ago users started complaining of slow performace between network segments. The common denominator seems to be segments seperated by the PIX's. We also discovered if we try to FTP files from the inside interface to anything on the outside interface (dmz or on the Internet), the speed drops to about 12 KB/s. No matter what we FTP to on the outside, we never get above 12 or 13 KB/s. I noticed similar performance when we try to do a Windows file copy from a workstation on the inside interface to a Windows box on the outside interface.
I read a few posts on various forums, and subsequently changed the ports from auto to 100/full on the PIX's and the switch. That did not help.
I upgraded the firewalls to 7.2.1 in January, but can't remember from what. It was 6.something, but I don't remember exactly what. Complaints started coming in around March, so it might be unrelated. I upgraded the PIX to 7.2.2 this weekend, but that did not change the behavior.
Any suggestions?
Thanks,
Daris
05-14-2007 05:34 PM
Post your config please.
Thanks!
05-15-2007 07:46 AM
05-15-2007 09:32 AM
When you say that you are transferring a file from the inside to the outside and it is slow,.. what exactly is on the outside? Are you uploading a file to a known host on the public internet or a private host that is 1 hop away from the outside interface?
05-15-2007 09:38 AM
Both. I test to a FTP server in our DMZ (between the pix and our Internet router), and a public FTP server at my home. The transfer speeds are the same. I can't do Windows file copies to the box at home, but Windows file copies display similar speeds to our DMZ FTP server. The DMZ ftp server is connected to a the same CISCO switch that the PIX is connected to.
The ports for the PIX and the FTP server are forced to 100/Full and show no errors.
Again thanks,
Daris
05-14-2007 11:22 PM
Try a ping test, ping your other side ip address from your PC/Host using the option ping
You should see something like "Packet needs to be Fragmented but DF set"
Try lowering the size of the packet from 1500 to 1400 and then slowly check when your Host ping. Once you start getting the replies give the command sysopt connection tcpmss
Then check on your speed again.
HTH
Hoogen
05-15-2007 07:39 AM
Thanks Hoogen. I tried that, but it did not seem to help the problem. FTP to our DMZ server on the outside interface is still between 12 and 15 KB/s.
05-15-2007 10:57 AM
Did you check for Interface errors on the inside interface and the switchport it is connected to?
sh interface "interface"
Thanks,
Chad
05-15-2007 01:04 PM
Yes I did. There are not errors on any of the interfaces or associated switch ports.
05-15-2007 03:44 PM
Does a sniffer capture reveal any obvious performance issues? Retransmissions etc?
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: