topic Re: PIX 515E slow http from inside to dmz network in Network Security

PIX 515E slow http from inside to dmz network

kvoelker2000 — Tue, 12 Mar 2019 00:11:00 GMT

I have a PIX 515E V7.0.4 and I'm having trouble with http access between the inside interface and a DMZ zone I have. I have a web server setup in the DMZ with an web interface to upload/download files. I can connect to this interface from a workstation in the inside network but when I try to download a file it is incredibly slow. If I upload a file there are no speed issues. If I connect using an https connection then both upload and downloads are at speeds I would expect.

I have disabled http inspect but this didn't improve the speed connection.

Other http communications from inside to outside do not have any speed issues in either direction.

Any thoughts or suggestions appreciated.

Thanks,

Karl

PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 01:59:23 GMT

Hello,

Run captures in order to determine if there is something weird with the TCP interaction between both devices ( client and server)

PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 09:33:39 GMT

Hi,

I ran wireshark on the client to see if I could determine the problem. When comparing the trace between upload and download there was nothing that stood out in the download trace when compared to the upload. Both looked very similar.

Thanks.

PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 16:25:09 GMT

Hello,

What about retransmissions or out of order packets?

Regards,

Julio

PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 18:59:37 GMT

Hi Julio,

I did another packet trace of a file download that had about 10K packets. Of those I saw about 5 of the following:

[TCP Retransmission ] Continuation or non-HTTP traffic (all from the server to the workstation)

The majority of the packets were:

Continuation or non-HTTP traffic (both directions)

I wanted to mention that I also have tried changing the port settings on both the server NIC and switch port it connects to. Every possible combo (auto, full, half)

The PIX DMZ interface is set to 100 Full and also the switch port it connects to (3COM Superstack). I don't seem to have any speed issues for other applications running on this server, FTP, File sharing.

Thanks,

Karl

PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 19:01:27 GMT

Hello,

How many retransmission packets do you see on wireshark?

Please provide me the show interface of the ASA ( related to DMZ )

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 19:17:45 GMT

Out of the trace of about 10000 packets I saw 5 or 6 retransmission packets.

Here is the sho int for my DMZ interface

Interface Ethernet2 "DMZ", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Description: DMZ Zone.

MAC address 000d.8811.c32c, MTU 1500

IP address xxx.xxx.xxx.xxx, subnet mask 255.255.255.0

25467862676 packets input, 5078676771134 bytes, 0 no buffer

Received 8304357 broadcasts, 0 runts, 0 giants

13 input errors, 0 CRC, 0 frame, 13 overrun, 0 ignored, 0 abort

0 L2 decode drops

44197954355 packets output, 57486827220439 bytes, 42 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/191)

output queue (curr/max blocks): hardware (0/128) software (0/45)

Traffic Statistics for "Audiovault-DMZ":

25473285608 packets input, 4606976126158 bytes

44203213848 packets output, 56856313580879 bytes

8197481 packets dropped

PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 19:20:52 GMT

Hello,

42 underruns

13 overrun

13 input errors

Can you clear the counters and then attempt a connection and check the interface again and post the results.

I dont like those error counters.

Regards

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 19:37:56 GMT

Hi,

Cleared the counters and downloaded a 100MB file

Interface Ethernet2 "Audiovault-DMZ", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

Description: DMZ Zone.

MAC address 000d.8811.c32c, MTU 1500

IP address 192.168.2.1, subnet mask 255.255.255.0

130716 packets input, 147258923 bytes, 0 no buffer

Received 189 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

73850 packets output, 12994065 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/15)

output queue (curr/max blocks): hardware (0/10) software (0/1)

Traffic Statistics for "Audiovault-DMZ":

129252 packets input, 145431089 bytes

73850 packets output, 11362942 bytes

183 packets dropped

Re: PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 19:40:53 GMT

Hello,

That looks way better,

Okay so you have removed the HTTP inspection.

Did you clear the local-host table afterwards?

clear local-host

Then is there a way you could upload here a capture while you perform the file download

Ofcourse provide us the capture syntax you used on the PIX and the PIX setup

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 19:45:07 GMT

Hi,

I didn't clear the local host table. Would this affect any current traffic when I run this command? Should I do this during a non-peak user time?

For the capture I've just been using wireshark on the local machine and nothing directly on the PIX. Should I be running a capture directly on the PIX?

Thanks.

Re: PIX 515E slow http from inside to dmz network

Julio Carvajal — Thu, 18 Oct 2012 19:48:04 GMT

I didn't clear the local host table. Would this affect any current traffic when I run this command?

Yes, it will clear all the existing connections so they will need to be build again. So a dowtime of 1-2 seconds could happen.

Should I do this during a non-peak user time? If possible yes,

For the capture I've just been using wireshark on the local machine and nothing directly on the PIX. Should I be running a capture directly on the PIX?

Yes, it' needs to be done on the PIX

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

https://supportforums.cisco.com/docs/DOC-1222

Remember to rate all of the helpful posts

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Thu, 18 Oct 2012 20:28:15 GMT

Hi,

I am going to try the clear-host tonight and will let you know.

If it still has the issue I will run a trace locally on the PIX and report back.

Thanks for your help.

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Sun, 21 Oct 2012 03:43:54 GMT

Hi,

So I ran the clear local-host command and there was no difference in download speed. I rebooted both my primary and failover firewalls just to clear everything and still the same slow download speeds.

I did run a capture right on the PIX using the following command "capture test circular-buffer interface DMZ". I'm not sure where I can upload a capture file here but the capture on the PIX looked almost identical to the capture form the local workstation. Here is a screen capture of the PIX capture hopefully it is readable. The IP address are 192.168.2.37 for the web server and 192.168.1.63 for the workstation downloading the file. If I run the same download using https the speeds are completely fine. Seems like the PIX must be doing something to the http connection but not sure what it is.

Re: PIX 515E slow http from inside to dmz network

Julio Carvajal — Sun, 21 Oct 2012 07:32:16 GMT

Hello,

Really interesting behavior

Do the following capture for me please

capture capin interface inside match tcp host 192.168.1.63 host 192.168.2.37 eq 80

cap capdmz interface dmz match tcp host 192.168.1.3 host 192.168.2.37 eq 80

Then attemtp to connect, afterwards download the captures to your computers and try to upload them here, if not possible send them to my email address ( on my profile you will have 2 email addresses)

I will analize that on my PC, Please send me the show running-config as well,

Regards,

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Mon, 22 Oct 2012 20:40:21 GMT

Hi,

I went to run the captures you wanted but the commands aren't recognized, I don't think it likes the "match" command. I will try to get those captures run but here is the running config from my PIX.

Thanks,

Karl

Re: PIX 515E slow http from inside to dmz network

Julio Carvajal — Mon, 22 Oct 2012 20:48:12 GMT

Hello,

Got it, yes, that's because of the version you are running.

You will need to do it with an ACL instead of a match.

Regards.

Julio

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Mon, 22 Oct 2012 22:01:57 GMT

HI,

OK so I got the capture syntax and attached is the capture from the hosts on the DMZ interface. The capture on the inside interface did not collect any packets which was odd, upload or download and I used the same access-list.

I'll keep trying to get a capture on the inside interface.

Karl

Re: PIX 515E slow http from inside to dmz network

Julio Carvajal — Mon, 22 Oct 2012 23:36:54 GMT

Hello,

Can you share the NAT you are using from the internal interface when going to the DMZ server and?

Do you have any NAT from DMZ when going to inside

What is between the ASA and the HTTP server on the DMZ?

Regards,

Re: PIX 515E slow http from inside to dmz network

kvoelker2000 — Tue, 23 Oct 2012 00:06:22 GMT

The NAT I have between the inside and DMZ network is one to one. Private addresses in the inside net translate to those same addresses in the DMZ and vice versa.

The server in the DMZ zone, 192.168.2.37, is a public facing server so it's public address is translated to the inside network so the machines in the inside net access it via it's public address.

Nothing is in between the HTTP server and the PIX. Both the inside network and DMZ are connected directly to the PIX. The DMZ network is on a VLAN on a seperate switch.

Hopefully this makes sense.

Karl