Re: Cisco FWSM, one of the context is slow

ismailmohammed · ‎12-14-2009

Hi,

I am currently facing the following issue with FWSM module installed Cisco 6509 E Chassis, Please go through the following questions in details
and please let me know what could have been the issue with this case.

we have go two FWSMs and both of them are running in active and standby mode. And the actual problem is, The application which the user is accessing on the server loads very very slowly. It takes close to 3 minutes just to load the opening screen. COmpare that to about a few seconds when it is not behind the firewall. we have recently created this context to access this application, this is a relatively new context on the fwsm although there are already a few context in the fwsm prior to this. we have started facing this issue From the time the server was place behind the firewall (Wk2 Nov 2009). But did isolation and observation first for about a month. Isolation includes putting the server out of the fwsm context. This problem was observed on more than one context of the firewall. The problem was affected on the same context this problem was observed on more than 1 server. No load balancing on the servers. The servers are running Oracle database (port 1521). But No port restriction on the fwsm context. we have created another context called text and without applying any policies, all the clients are able to access the server without any issues at all. We would like to create policies only for IP filtering and no port filtering.

If anyone has any clue for this issue that I am facing, please let me know.

Many thanks.

Best regards

- Ismail

Jon Marshall · ‎12-15-2009

ismailmohammed wrote:
Hi, 
I am currently facing the following issue with FWSM module installed Cisco 6509 E Chassis, Please go through the following questions in details 
and please let me know what could have been the issue with this case. 
we have go two FWSMs and both of them are running in active and standby mode. And the actual problem is, The application which the user is accessing on the server loads very very slowly. It takes close to 3 minutes just to load the opening screen. COmpare that to about a few seconds when it is not behind the firewall. we have recently created this context to access this application, this is a relatively new context on the fwsm although there are already a few context in the fwsm prior to this.  we have started facing this issue From the time the server was place behind the firewall (Wk2 Nov 2009). But did isolation and observation first for about a month. Isolation includes putting the server out of the fwsm context.  This problem was observed on more than one context of the firewall. The problem was affected on the same context this problem was observed on more than 1 server. No load balancing on the servers. The servers are running Oracle database (port 1521). But No port restriction on the fwsm context. we have created another context called text and without applying any policies, all the clients are able to access the server without any issues at all. We would like to create policies only for IP filtering  and no port filtering.   
If anyone has any clue for this issue that I am facing, please let me know. 

Many thanks.
Best regards

- Ismail

Ismail

If you have created a test context with no filtering and the app runs fine then it must be something to do with the filtering policies you are applying. It could well be a timeout issue eg. the server needs to do a DNS lookup but DNS is not allowed so the request must time out before the client can be serviced. This is a common sort of thing with firewalls.

What you could do is log all denies temporarily on the context, this would show you if any extra traffic you were unaware of is being denied and hence causing the slow response.

The other thing to check is the resource allocation between contexts on your FWSM, make sure that the context that is responding so slowly is not being starved of resources.

Jon