Re: ANy high volume PIX admins out there?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: ANy high volume PIX admins out there?

From: Wil <wil@SPAM.THIS>
Date: Tue Nov 22 2005 - 17:20:48 CET



This sounds like a tcp windowing or pmtud issue, what if you set up the 


following test:



Set the laptop up outside the firewall and download your file via http 


through the firewall like before, you should get the same results... 


Next try to stack up about 5 downloads from the same machine, and 


finally stack about 5 downloads from different machines at the same time.



I would suspect that each of the 5 download speeds would have about the 


same thouroughput as the first with a greater total sum.



If possible try a UDP transfer, like NFS to see the results.



If the above does show that the total sum can be increased through 


multiple threads you should be able to tweek your TCP settings to gain 


better performance. I am running 520's and have been able to get xfers 


up and over 33Megs, downloading files from outside to the inside.



Wil


my 3¢



DigitalVinyl wrote:


> I'm looking to compare notes with a high volume PIX admin out there.


> 


> We have tracked down performance issues on our 535. One, according to


> Cisco, appears to be a bug in 7.02, which they are examining.


> 


> However we are seeing a reduction in throughput from inside to outside


> by about 50%. Trying to get a vendor to work on optimizatio of their


> product is usually infuriating work, so I figured I'd try to see if


> this is a common issue.


> 


> At a previous company they attempted to put a 525 between app servers


> and their databases and it slowed the website down by 20%. Cisco VARs


> could not explain or fix the performance hit and the PIX


> implementation was aborted.


> 


> I'm now working on a PIX 535. We setup a latop on the outside with IIS


> running and if we attempt to grab a file via http on the outside we


> get about 1000Kb/s throughput. If we move the laptop on the LAN on the


> inside we get less than 500kb/s throughput. We've verified all the


> network connections for errors both from the pix and the switches and


> no luck finding something nice and obvious yet.


> 


> This is the second time we found clear evidence of significant


> througput reduction(throttling) when using a PIX. 


> 


> If I do a SHO PERFMON we have the following high stats.


>   6000-12000 TCP Fixups/s


>   5900-11800 HTTP Fixups/s


> 


> SHO PERFMON shows you a momentarily stat, so you can reissue


> repeatedly and see a range. The AVERAGE and history for PERFMON stats


> is apparently broken in 7.02. 


> 


> 


> Anybody out there with these kind of volumes going through a PIX???


> 


> I'm curious to find similar PIX owners to compare notes with.


> 


> 


Received on Sat Dec  3 04:17:51 2005