Re: ANy high volume PIX admins out there?

Wil <wil@SPAM.THIS> wrote:

>This sounds like a tcp windowing or pmtud issue, what if you set up the
>following test:
>
>Set the laptop up outside the firewall and download your file via http
>through the firewall like before, you should get the same results...
>Next try to stack up about 5 downloads from the same machine, and
>finally stack about 5 downloads from different machines at the same time.
>
>I would suspect that each of the 5 download speeds would have about the
>same thouroughput as the first with a greater total sum.

I think this has been true with outside services with plenty of
capacity. With our test laptop we would have to discover what the
limit of it handing the files out is first.

>If possible try a UDP transfer, like NFS to see the results.
Probably could setup a TFTP service easy enough.

>If the above does show that the total sum can be increased through
>multiple threads you should be able to tweek your TCP settings to gain
>better performance. I am running 520's and have been able to get xfers
>up and over 33Megs, downloading files from outside to the inside.

But the question is, could you have acheived 66megs if the firewall
wasn't there. Server and client always determine the maximum rate of
any transfer. I'm using a mediocre laptop so I don't expect much.
Question is why is the pix lowering the throughput so much.

Are you suggesting changing specific TCP settings of the PIX? Cause,
last I checked, I can't request that every website in the world and
18,000 user laptops and PCs get tweaked to compensate for our
firewall. :-) This slowdown is evident in all traffic. The test case
was just to get the problem in focus.

>Wil
>my 3¢
>
>DigitalVinyl wrote:
>> I'm looking to compare notes with a high volume PIX admin out there.
>>
>> We have tracked down performance issues on our 535. One, according to
>> Cisco, appears to be a bug in 7.02, which they are examining.
>>
>> However we are seeing a reduction in throughput from inside to outside
>> by about 50%. Trying to get a vendor to work on optimizatio of their
>> product is usually infuriating work, so I figured I'd try to see if
>> this is a common issue.
>>
>> At a previous company they attempted to put a 525 between app servers
>> and their databases and it slowed the website down by 20%. Cisco VARs
>> could not explain or fix the performance hit and the PIX
>> implementation was aborted.
>>
>> I'm now working on a PIX 535. We setup a latop on the outside with IIS
>> running and if we attempt to grab a file via http on the outside we
>> get about 1000Kb/s throughput. If we move the laptop on the LAN on the
>> inside we get less than 500kb/s throughput. We've verified all the
>> network connections for errors both from the pix and the switches and
>> no luck finding something nice and obvious yet.
>>
>> This is the second time we found clear evidence of significant
>> througput reduction(throttling) when using a PIX.
>>
>> If I do a SHO PERFMON we have the following high stats.
>> 6000-12000 TCP Fixups/s
>> 5900-11800 HTTP Fixups/s
>>
>> SHO PERFMON shows you a momentarily stat, so you can reissue
>> repeatedly and see a range. The AVERAGE and history for PERFMON stats
>> is apparently broken in 7.02.
>>
>>
>> Anybody out there with these kind of volumes going through a PIX???
>>
>> I'm curious to find similar PIX owners to compare notes with.
>>
>>
Received on Sat Dec 3 04:18:00 2005