cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3777
Views
0
Helpful
7
Replies

Download Speed on PIX 515E is Pretty Slow

jhanington
Level 1
Level 1

Hello, I have a PIX 515E set up between our office switch and our Comcast Business Router and the download speeds are not as fast as they should be. We are paying for 30 down 30 up but it's more like 10 down 30 up. I plugged in a computer directly into the router and got 30/30 so I know its not a comcast issue. I think it might be the low amount of memory on the PIX because its running at 109 out of a total 128mb. The PIX has a site-to-site VPN tunnel with a remote ASA 5520 firewall. The inside/outside ports are both auto/auto. The running config is only 161 lines.

Here's some information about the PIX 515E...

Version 8.0(4)

ASDM 6.1(3)

Memory 128MB

Here is the running config..

Result of the command: "show running-config"

: Saved

:

PIX Version 8.0(4)

!

hostname --------------------

domain-name -----------------

enable password -------------------------

passwd --------------- encrypted

names

name 1.1.1.1 Data-Center-Firewall    #### Outside Address Changed

name 10.0.0.0 Data-Center-Subnet

dns-guard

!

interface Ethernet0

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254

!

interface Ethernet1

nameif outside

security-level 0

ip address 2.2.2.1 255.255.255.252   #### Outside Address Changed

!

interface Ethernet2

description LAN/STATE Failover Interface

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name -------------

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service http8080 tcp

description http8080

port-object eq 8080

object-group service DM_INLINE_TCP_1 tcp

port-object range 50000 50100

port-object eq 990

access-list outside_access_in remark ip, tcp/990

access-list outside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.5 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit icmp any any

access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

failover

failover lan unit primary

failover lan interface failover Ethernet2

failover lan enable

failover key *****

failover replication http

failover mac address Ethernet0 001e.f732.008f 000d.28f9.628f

failover mac address Ethernet1 001e.f732.0090 000d.28f9.6290

failover link failover Ethernet2

failover interface ip failover 10.10.10.10 255.255.255.252 standby 10.10.10.20

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list ACL-VPN

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 2.2.2.5 10.10.1.102 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.2 1

route inside 10.10.0.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.0.0 255.255.255.0 inside

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MAP-VPN 1 match address ACL-VPN

crypto map MAP-VPN 1 set pfs

crypto map MAP-VPN 1 set peer Data-Center-Firewall

crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA

crypto map MAP-VPN 1 set security-association lifetime seconds 28800

crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000

crypto map MAP-VPN interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.1.0 255.255.255.0 inside

telnet 10.10.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.10.0.0 255.255.255.0 inside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

!

class-map class_ftp

match port tcp eq ftp-data

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

class class_ftp

  inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b795d4f5f5da3d8283d452ba857d5534

: end

1 Accepted Solution

Accepted Solutions

Hello jack,

1. When you connect links directly to the laptops or desktops, they adjust the mtu to the best available for throughput.

Try changing the mtu on the pix to a lower value on decrements of 32 and test.

2. Try no service-policy global_policy global once. Since you mentioned download is slow.

Rgds/dp

Pls rate useful posts.

Sent from Cisco Technical Support Android App

View solution in original post

7 Replies 7

Hi Bro

Personally, I don't think this is a Cisco FW issue. However, I stand corrected. Before we conclude anything, could you fix the Eth0 and Eth1 port speed/duplex to 100FULL. Next, could you place a laptop directly to the Eth0 interface and verify once again the download/upload speed?

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan
Level 7
Level 7

Hi Jack,

Please check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.

Check for the processes usage of the cpu of the pix.

Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.

enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.

Please do rate if the given information helps.

By

Karthik

Please check on the speed and duplex settings whether the downstream and upstream links are fine and healthy.

Inside/outside are both set to auto/auto at

Check for the processes usage of the cpu of the pix.

CPU is running at 2%

Process:      tmatch compile thread, PROC_PC_TOTAL: 2, MAXHOG: 8, LASTHOG: 8

LASTHOG At:   19:01:15 EST Dec 31 1992

PC:           26b616 (suspend)

Process:      tmatch compile thread, NUMHOG: 2, MAXHOG: 8, LASTHOG: 8

LASTHOG At:   19:01:15 EST Dec 31 1992

PC:           26b616 (suspend)

Traceback:    26b616  26bdb9  26ec89  1182b3

Process:      Dispatch Unit, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   09:25:12 EDT Jul 18 2012

PC:           130114b (interrupt)

Traceback:    100178  12edd0c  9771e5  8c0e66  927164  928996  8ec3f5

              8ec7ed  79d35e  2780c3  1182b3

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   12:27:25 EDT Jul 18 2012

PC:           130114b (interrupt)

Traceback:    100178  d870cb  13016b3  15cf68  e91a6f  e9118b  abfcea

              a7cb2e  a7daeb  18d800  5ae9a9  5a6aa0  5a7272  5a75e5

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 7, LASTHOG: 7

LASTHOG At:   12:34:10 EDT Jul 18 2012

PC:           5ae903 (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 7, LASTHOG: 7

LASTHOG At:   12:34:10 EDT Jul 18 2012

PC:           5ae903 (suspend)

Traceback:    5ae903  5a6aa0  5a7272  5a75e5  5ad3d5  1182b3

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 4, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   12:37:47 EDT Jul 18 2012

PC:           f4078b (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 4, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   12:37:47 EDT Jul 18 2012

PC:           f4078b (suspend)

Traceback:    f40be2  130f41e  aab54d  aac3b0  5a6c2e  5a7272  5a75e5

              5ad3d5  1182b3

Process:      IKE Daemon, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   23:07:40 EDT Jul 19 2012

PC:           1b6dd0 (interrupt)

Traceback:    100178  1b8a31  1baaeb  6438d7  12efc6f  64250b  653fe9

              654b78  1182b3

Process:      IKE Daemon, PROC_PC_TOTAL: 347, MAXHOG: 31, LASTHOG: 30

LASTHOG At:   16:01:55 EDT Jul 23 2012

PC:           654bab (suspend)

Process:      CTM message handler, PROC_PC_TOTAL: 346, MAXHOG: 27, LASTHOG: 27

LASTHOG At:   16:01:55 EDT Jul 23 2012

PC:           2087ec (suspend)

Process:      IKE Daemon, NUMHOG: 693, MAXHOG: 31, LASTHOG: 27

LASTHOG At:   16:01:55 EDT Jul 23 2012

PC:           654bab (suspend)

Traceback:    1182b3

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 5, LASTHOG: 5

LASTHOG At:   17:23:30 EDT Jul 23 2012

PC:           130003b (interrupt)

Traceback:    100178  13008b8  f5a0cd  f5ac32  f5ae40  f60828  f617c1

              d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5

Process:      Dispatch Unit, PROC_PC_TOTAL: 227, MAXHOG: 432, LASTHOG: 35

LASTHOG At:   17:37:03 EDT Jul 23 2012

PC:           278207 (suspend)

Process:      Dispatch Unit, NUMHOG: 227, MAXHOG: 432, LASTHOG: 35

LASTHOG At:   17:37:03 EDT Jul 23 2012

PC:           278207 (suspend)

Traceback:    278207  1182b3

Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1901, MAXHOG: 8, LASTHOG: 7

LASTHOG At:   17:44:20 EDT Jul 23 2012

PC:           118ed5 (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 1901, MAXHOG: 8, LASTHOG: 7

LASTHOG At:   17:44:20 EDT Jul 23 2012

PC:           118ed5 (suspend)

Traceback:    118ed5  b2d032  f5a80d  f5ac0a  f5ae40  f607e5  f617c1

              d38a0d  aab50b  aac14a  5a6c2e  5a7272  5a75e5  5ad3d5

CPU hog threshold (msec):  5.120

Last cleared: None

Check on the inetrface whetehr u get any crc/input/overrun errors. Please check with the physical connectivity.

Interface Ethernet0 "inside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address __________, MTU 1500

    IP address 10.10.1.1, subnet mask 255.255.255.0

    60862937 packets input, 29025667892 bytes, 0 no buffer

    Received 1371 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    68515603 packets output, 44084404472 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max packets): hardware (0/1) software (0/47)

    output queue (curr/max packets): hardware (0/67) software (0/1)

  Traffic Statistics for "inside":

    60997029 packets input, 28080179952 bytes

    68553614 packets output, 43104566708 bytes

    29544 packets dropped

      1 minute input rate 63 pkts/sec,  30371 bytes/sec

      1 minute output rate 64 pkts/sec,  16557 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 91 pkts/sec,  45254 bytes/sec

      5 minute output rate 93 pkts/sec,  56181 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Ethernet1 "outside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

    MAC address ___________, MTU 1500

    IP address ___________, subnet mask 255.255.255.252

    67730933 packets input, 44248541375 bytes, 0 no buffer

    Received 4493 broadcasts, 0 runts, 0 giants

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

    0 L2 decode drops

    60418640 packets output, 29310509840 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collisions, 0 deferred

    0 lost carrier, 0 no carrier

    input queue (curr/max packets): hardware (0/1) software (0/39)

    output queue (curr/max packets): hardware (0/42) software (0/1)

  Traffic Statistics for "outside":

    67782987 packets input, 43276611710 bytes

    60562287 packets output, 28342787997 bytes

    206651 packets dropped

      1 minute input rate 57 pkts/sec,  14273 bytes/sec

      1 minute output rate 61 pkts/sec,  30258 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 89 pkts/sec,  54426 bytes/sec

      5 minute output rate 87 pkts/sec,  45115 bytes/sec

      5 minute drop rate, 0 pkts/sec

enable flowcontrol recieve on on the firewall interfaces and switch/router interfaces connected to the firewall.

Not sure how to do that.

!

interface Ethernet0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254

!

interface Ethernet1

speed 100

duplex full

nameif outside

security-level 0

ip address 2.2.2.1 255.255.255.252 #### Outside Address Changed

Note: Make sure you do the same for the direct attached switchports too

Warm regards,
Ramraj Sivagnanam Sivajanam

Hello jack,

1. When you connect links directly to the laptops or desktops, they adjust the mtu to the best available for throughput.

Try changing the mtu on the pix to a lower value on decrements of 32 and test.

2. Try no service-policy global_policy global once. Since you mentioned download is slow.

Rgds/dp

Pls rate useful posts.

Sent from Cisco Technical Support Android App

The MTU was the problem, ran a bunch of pings with a do not fragment option until I got to 1272 so 1300 is my MTU. Speeds are closer to what they should be now. We recently switched to Comcast Business and I guess their MTU is 1300. Thanks everyone for the help!

Great to know that it was helpful.

Pls rate the post.

Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: