Windows 2003 Server and pix firewall throughput

terminalLv · ‎04-06-2006

Does anyone have any experience with throughput problems with Windows 2003 server and pix firewalls?

We have 4 machines behind our pix 501 firewall: 2 Windows 2003, a Windows 2000, and an XP. The machines are all configured the same in the firewall.

The symptom is we get 200-300kbps throughput on the 2003 machines, and 4-6Mbps on the other 2. If we move the 2003 machines out from behind the firewall, they get the 4-6Mbps. Swapping out the NICs on the 2003 machines didn't change anything.

Anyone have any ideas or experience with what might cause this? Thanks in advance.

kengyiam · ‎04-06-2006

maybe you can try looking into what traffic is actually been generated in your machines? try using a sniffer to see the packets.

Patrick Iseli · ‎04-07-2006

Windows 2003 DNS and Cisco Pix firewalls

This keeps coming up. Windows 2003 DNS supports large UDP packets. All but the current version of the Cisco PIX IOS have a DNS Fixup that is limited to 512 byte packets. This causes DNS lookup timeouts since the firewall drops the packets. You can:

a) turn off DNS fixup on the PIX. Not the best solution since it does offer some DNS poisoning protection.

b) turn off eDNS in Windows 2003 using the dnscmd utility from Support Tools:

dnscmd /Config /EnableEDnsProbes 0

c) upgrade to the latest PIX IOS, which adds the ability to add a “maximum-length 1500” parameter to the fixup DNS configuration element.

Reference:

http://cameron-webb.com/blog/archive/2003/11/13/159.aspx

sincerely

Patrick