Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
6
Replies

latency on application install from dmz to dmz

patrick.cannon
Level 1
Level 1

‎10-13-2003 04:01 PM - edited ‎03-09-2019 05:08 AM

I have a pix quandry. I am looking for suggestions on how to fix what appears to be a file transfer latency issue from dmz to dmz.

I have an environment that includes multiple dmzs with application traffic between the dmzs. All appears to be well ACCEPT for when we attempt to do an application upgrade/install. When this occurs what is normally a two second install in an non-firewall environment becomes a 400+ second install in the firewall environment.

The install is hanging on a file transfer. The install is initiated from a server on the Security10 interface, however the msi package is pulled from a server on the Security15 interface. We also tried making the msi package a text file; there was no significant difference in transfer speed.

We have added the appropriate port access list on the Security10 interface. We verified that there were no deny statements prohibiting the traffic on the Security15 interface.

I also sniffed the packet stream during the install on both ends and was able to pair up most of the tcp conversations fairly easily although I did notice at the beginning of the tcp conversation rather more SYN packets then I would have normally expected.

I also used a portmapping tool to verify that channel was open between both hosts. It clearly showed the conversation was initiating. And eventually although rather slowly the app was pulled over.

To make things more interesting we placed both servers on the same switch with no firewall between them and the install was less than two seconds.

To make things even more interesting, I took the majority of the firewall config from the production environment and built a test environment around it and the application install works just fine. Less than two seconds. I should note that I don't have the whole production config. Just the rules-set. It is managed by a third party. And yes, I am working on getting the complete rules set. I did do a line by line comparision of the pix configs with the third party on the data that I was missing and they had nothing addition to add.

The test environment has one major difference. It was 6.2(2) on a Pix 520 whereas the production environment was a failover config with two Pix 515 running 6.2(2)111. I wasn't able to find anything relevant on bug track.

Any suggestions on how to track this down?

Patrick

Labels:
0 Helpful
6 Replies 6

nkhawaja
Cisco Employee
Cisco Employee

‎10-13-2003 04:11 PM

So we conclude that there is something different in your production environment then what you have tested? You are seeing multiple SYN packets, it means a re-transmission, right?

What are the interface statistics? Are there any drop packets? Is the interface set to full duplex on both DMZs? Can you do the following:

you must have defined STATIC (DMZ1,DMZ2) , where DMZ2 is where your client wants to get installation from DMZ1,

For this particular static, would you try adding "norandonseq" at the end?

Thanks

Nadeem

0 Helpful

patrick.cannon
Level 1
Level 1
In response to nkhawaja

‎10-13-2003 04:44 PM

Both environments are set to 100Full on all adapters.

I am curious as to why norandomseq would fix the problem? It seems to be a fix for a multiple firewall scenario.

I will check on the other things you suggested..

0 Helpful

patrick.cannon
Level 1
Level 1
In response to nkhawaja

‎10-13-2003 04:54 PM

Both environments are set to 100Full on all adapters.

I am curious as to why norandomseq would fix the problem? It seems to be a fix for a multiple firewall scenario.

I will check on the other things you suggested..

0 Helpful

patrick.cannon
Level 1
Level 1

‎10-14-2003 04:27 AM

I put the norandomseq on the static and ran the test again. No change.

On the interface statistics everything on the Security10 interface was 0. On the Security15 interface there was 283,000 input errors and ignored matched this. When I ran the test again this incremented 1,000.

That sounds like something is being filtered/dropped to me.

I did a packet capture with ethereal at the same time and compared both server capture results looking for packets that didn't make it. I haven't noticed anything odd yet. I have to go back and compare the results to the capture in the test environment to see what is different.

0 Helpful

mostiguy
Level 6
Level 6
In response to patrick.cannon

‎10-14-2003 01:24 PM

Input errors sounds like a ethernet duplex mismatch. What are the PIX's interfaces plugged into? If it is a managed switch, then you might wantto configure those ports, and the pix interfaces to be hard coded for 100 full duplex

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to patrick.cannon

‎10-14-2003 09:16 PM

Hi,

Just curious if you have done the clear xlat after the norandomseq. But as what you said you are seeing input errors. This is it. This seems to be a layer 2 issue now. Try to change ports/cables on switch/PIX etc.

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents