My customer says that performance through the FWSM was very sluggish.
He said he switched over from active to standby FWSM and everything is fine after this.
I want to ask him to switch back to the suspect FWSM module again to see the problem first hand.
Apart from SHOW TECH and SHOW LOG is there any more usefull commands that I can do on the problem FWSM at the time of the problem that will help me narrow down the problem.
At the moment I have the SHOW TECH and a sniffer trace with the problem FWSM and a sniffer trace after switching over to standby FWSM, but I can't see anything unusual in these sniffer traces such as retranmissions, etc.
Traffic through FWSM can be slow due to a variety of reasons and it is better to narrow down to the type of traffic which is causing the problem. This can be checked by removing the respective inspect command (like inspect HTTP) and then checking the traffic flow. Also check if the cpu and memory usage of FWSM are not reason of its slow performance.
If you manage to identify your issue then I would be keen to review your findings. I'm currently investigating a similar issue where the throughput varies from 1.5MBps (slow) up to 94MBps when running a test from in the same VLAN or through the firewall. I plan to fail the firewalls over at the earliest chance to see if it is a hardware limitation.
When looking at the graphing (ASDM) and via SNMP .I can see that the interfaces are not particularly under any load (less than 20Mbps). The impact is seen when attempting to run a backup or a large copy.
What identified the issue was a 187 GB drive on a server in a blade farm backing up in the same vlan with a write speed of approx 40MBps (speed that the tape writes at) where as through through the firewall this dropped to 1.5MBps. The architechture of the FWSM should allow for at least 100MBps throughput on the basis of the backplane being able to process 1Gbps.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :