Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
3
Replies

FTP SSL port 990 - performance slow using PIX 515

R1_JONCLE
Level 1
Level 1

‎07-09-2004 02:57 AM - edited ‎02-20-2020 11:30 PM

Hi,

We currently have a 515 PIX with Hot Standby. When connecting to a client FTP site (ssl port 990) through the firewall (using NAT) performance is very slow, about 20kbps (however we can open numerous connections which all get 20kbps). If we put a test laptop outside of the firewall and try the same connection we can get 150Kbps, so it seems that the firewall is severely slowing the connection down. I've tried this from one of our other sites with another PIX and the connection speed is good. So it seems that it must be a setting on our 515 that is causing the problem. Have tried taking the hot stanby out of the equation just incase this was causing the problem, but no difference. The only other difference I can see between the problem site and the other site which works fine is that we have a lot more rules (about 150) in our policy. Has anyone got any ideas what setting may be causing this problem? Or has anyone seen the same issue?

0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎07-09-2004 05:34 AM

Check these two things:

1. Are any firewall interfaces using auto negotiation for line speed/duplex? If so, then explicitly code the speed and duplex on both the pix and the switch/hub that it connects to. Do this for all interfaces.

2. Are you running any packet traces, particularly debug packet? The capture process, similar to unix tcpdump, to my knowledge does not impact performance, but debug packet does. While you are checking, look at the syslog level - is it set to debug, and if so does it send syslog requests using the same interface for incoming or outgoint connections or does it use a seperate interface?

Let me know what you find.

0 Helpful

R1_JONCLE
Level 1
Level 1
In response to ehirsel

‎07-09-2004 07:25 AM

The Firewall interfaces were set to 100\FD but the switch is was plugged into wasn't. Changed the switch port to 100\FD also and this solved it.

Thanks for your help. Do you have any idea why this affect SSL FTP and not other protocols though. Just seems weird that we were getting good throughput for all the other protocols.

Thanks

0 Helpful

ehirsel
Level 6
Level 6
In response to R1_JONCLE

‎07-12-2004 10:46 AM

With mismatched speed and duplex settings, it is hard to tell why one protocol will work and not another. I can tell you that generally ftp will be of a higher volume than other protocols, and some like HTTP will check the cache on only go back to the origin server if the cache expired.

But I have also seen cases where mismatched settings cause problems even for low volume traffic.

At any rate, I'm glad your issue was fixed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card