PCOIP perormance through ASA

mmedwid · ‎03-20-2012

Has anyone experienced a slowdown in VMWare (v5) VDI with PCOIP screen refresh rates when the traffic goes through a Cisco ASA firewall (version 7.? - I'm not at work as this question came to mind.) Any special commands one might be able to put in place on the ASA to be particularly friendly to PCOIP traffic? Thank you.

Julio Carvajal · ‎04-11-2013

You first will need to determine whether the asa is the issue or not,

enable logging and take captures,

once you have that let us know as I will be more than glad to fix this with you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎04-12-2013

1- how is logging going to help you?

2- how are you going to decrypt the capture if the data is "encrypted" if it is enabled with PCoIP?

Julio Carvajal · ‎04-12-2013

Hello david,

As usual questioning my answers

1) I mean how could not help!!! Logs as captures don't lie.. so as long as a connection is failing across the firewall we must check the logs, have you ever troubleshoot VPNs across the firewall ( the key part is across). Logs could tell us whether we are having a nat problem,etc,etc,etc.

2)Even though is on by default, customer might have it off, or we could turn it off for testing purposes,

All I am doing is trying to help, if you have a better troubleshooting step be more than glad to help

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎04-12-2013

by reading the original post "Has anyone experienced a slowdown in VMWare (v5) VDI with PCOIP screen refresh rates when the traffic goes through a Cisco ASA firewall (version 7.?", one can reasonably assume that the traffics do make it through the firewall and that it is working but very slow. In other words, the poster has confirmed that firewall rules and NAT (if any) is already working.

In most production environments, turning off encryption is not an option, even for testing purposes.

Julio Carvajal · ‎04-12-2013

Hello,

either way we must check the information in order to check for a patter,

Or may be next time I should answers to questions like this: No I have not experienced this , and I cannot help you as the traffic must be encrypted.... I don't think that is the proper way to go,

We are help to help and to try to correlate the issues to something,

We are not 100 % sure the traffic is being encrypted but even if it's being encrypted we could use a capture and on wireshark check the round trip time to determine if the ASA is the point where traffic is being slow down, Have you ever deal with a case like this,

Have a great day

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎04-12-2013

Hi Jcarvaja,

I am just joking . I know you've been very active in this forum and I use many of your advises as well. I know you're trying to help and really appreciate it. I do have to say that Cisco TAC supports are many times better than Checkpoint

Please don't stop.

Thanks,

Julio Carvajal · ‎04-12-2013

Hello David,

Great to hear that you think that

I won't stop

Have a great day,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC