Pix 501 Kills internet connection speeds

bryweb · ‎06-01-2004

I have used this Pix 501 at two locations since purchased new 7 months ago (Whats the warranty), the first location had the same problem- Massive Speed Loss(1.5/1.5 was running at 100/300), which the ISP tech support thought the Pix could not handle a ATM (Norvergance)connection, so we replaced it with a Firebox (Runs AOK Now) and I installed the Pix 501 at a different location, A hosting facility where I have (2) Internet Servers (Previously single server ran fine on a DLink router)

Server A= Windows 2003 SBS (1) NIC

Server B= Windows 2000 Server (1) NIC

Before I would with the Dlink I would always pull over 2000/2000, now with Pix it varies quite a bit but it is always way low, like 28/219 or 32/354.

I have updated my IOS and PDM, reset a numerous times to the factory config and redid my settings, I have looked slow tech support link http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml, I am beginning to think the firewall is bad (Whats the Warranty again - Think its 6 months from production date)

Configuration is in following post, please try to keep your answers/suggestions simple, still classifying myself as a newbie.

Thanks in advance for your help,

Bryan

bryweb · ‎06-01-2004

My configuration is as follows(Banners and Few Conduits removed so size was postable);

PIX Version 6.3(3)

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (removed)

passwd (removed) encrypted

hostname pix-1

domain-name mydomain.local

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 12.34.56.90 Server02-WAN (Changed)

name 12.34.56.83 Server01-WAN (Changed)

name 10.1.64.90 Server02-LAN

name 10.1.64.83 Server01-LAN

pager lines 24

logging on

logging console informational

logging monitor informational

logging buffered informational

icmp permit host 64.12.12.218 inside (Changed)

mtu outside 1500

mtu inside 1500

ip address outside 12.34.56.82 255.255.255.240 (Changed)

ip address inside 10.1.64.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 64.12.12.218 255.255.255.255 outside

pdm location Server01-WAN 255.255.255.255 outside

pdm location Server02-WAN 255.255.255.255 outside

pdm location Server01-LAN 255.255.255.255 inside

pdm location Server02-LAN 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) Server01-WAN Server01-LAN netmask 255.255.255.255 0 0

static (inside,outside) Server02-WAN Server02-LAN netmask 255.255.255.255 0 0

conduit permit tcp host Server02-WAN eq pop3 any

conduit permit tcp host Server02-WAN eq smtp any

conduit permit tcp host Server02-WAN eq www any

conduit permit tcp host Server02-WAN eq https any

conduit permit tcp host Server02-WAN eq domain any

conduit permit udp host Server02-WAN eq domain any

conduit permit tcp host Server02-WAN eq 9998 any

conduit permit tcp host Server02-WAN eq 9999 any

conduit permit tcp host Server01-WAN eq 9999 any

conduit permit tcp host Server01-WAN eq 9998 any

conduit permit tcp host Server01-WAN eq www any

conduit permit tcp host Server01-WAN eq domain any

conduit permit tcp host Server01-WAN eq https any

conduit permit tcp host Server01-WAN eq ftp any

conduit permit udp host Server01-WAN eq domain any

conduit permit tcp host Server02-WAN eq ftp any

conduit permit tcp host Server01-WAN eq pop3 any

conduit permit tcp host Server01-WAN eq smtp any

route outside 0.0.0.0 0.0.0.0 12.34.56.81 1 (Changed)

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 64.12.12.218 255.255.255.255 outside (Changed)

http 10.1.64.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside Server02-LAN \pixconfigure.txt

floodguard enable

sysopt noproxyarp outside

sysopt noproxyarp inside

telnet 64.12.12.218 255.255.255.255 outside (Changed)

telnet 10.1.64.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.64.2-10.1.64.10 inside

dhcpd dns 207.7.4.66 207.7.4.67

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain digitalbackups.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:(Removed)

: end

bryweb · ‎06-01-2004

Show Int (External IP addressed Changed)

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bc71.5a42

IP address 66.12.12.82, subnet mask 255.255.255.240

MTU 1500 bytes, BW 10000 Kbit full duplex

61083 packets input, 18830706 bytes, 0 no buffer

Received 1485 broadcasts, 40 runts, 0 giants

2393 input errors, 1228 CRC, 1125 frame, 0 overrun, 1228 ignored, 0 abor

t

67101 packets output, 30719808 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/13)

output queue (curr/max blocks): hardware (0/13) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000d.bc71.5a43

IP address 10.1.64.1, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

54865 packets input, 15733216 bytes, 0 no buffer

Received 498 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

53254 packets output, 21370234 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/25)

output queue (curr/max blocks): hardware (1/47) software (0/1)

and

show xlate

2 in use, 2 most used

Global Server01-WAN Local Server01-LAN

Global Server02-WAN Local Server02-LAN

Incase it helps,

Thanks, Bryan

ehirsel · ‎06-02-2004

I note that you have the logging level set to info on the console and monitor as well as the buffer. Is there an active console connection - such as a pc or a terminal server that is always connected? If so, I would set the logging level to error on the console and monitor. If not, then turn console and monitor logging off. That type of logging can degrade performance. Also, is there any debug commands that are active? The show debug command will tell you that. If so, then turn them off unless you are actively troubleshooting another issue.

Another thing to check would be to make sure that the switch ports that the pix connects has the ports set to match what the pix interfaces are with regards to duplex and line speed.

Let me know what you find.

bryweb · ‎06-02-2004

Thanks for you reply,

I have made sure all logging is turned off, and debug is off as well, still no luck.... speeds are pitiful, running a speed test to an area speed test (chi.speakeasy.net) away from my service I can hit in excess of 25000/25000 (yes thats right) behind the pix 2 down/ 650 up - I one more time loaded the latest (copy tftp flash) pix633.bin and ran (config factory-default) with no improvements. Any other Ideas ?

Thanks

ehirsel · ‎06-03-2004

How is the speed test conducted? What protocols and ports are used in the test? Are the clients running the MS Win OS?

This may be related to a path mtu discovery issue - at the pix run the show icmp command and let me know what it states.

bryweb · ‎06-03-2004

pixfirewall(config)# show icmp

icmp permit any outside

icmp permit any inside

(I turned them on while troubleshooting

Speed test ran from Windows 2000 server

Speed Tests ran from http://chi.speakeasy.com

Sorry I can not tell you what port, the long line of gibberish in the PDM console did not seem to define it (and won't allow copy paste that line), and I can't seem to get the logging to turn on during the telnet session to copy it (have before on other Pix's), sorry. (Turned on PDM logging to try to capture lines)

I did however at one point cut the MTU's for each then both interfaces to 1400 while trying to troubleshoot, I also forwarded this link to my co-location company http://www.cisco.com/warp/public/110/pixperformance.html and requested them to confirm their Port/Duplex speed settings (I am at 10Full on the Ext Int) and the to have them review the PortFast, Channeling and Trunking section. I have not heard from them, although this is now two locations that I have had problems with this Pix.

I really appreciate your help on this, I would be happy to open telnet and PDM access to your ip, as well as VNC or Terminal Services to one of the servers if this would help you any. Not asking you to fix it, just trying to make it easier for you to help me troublshoot it (-:

Me very frustrated, I have installed 40-50 pix 501s in various simple configs, never had a problem like this one, of course this one I am using myself, so go figure.

Mucho Thanks, I can't tell you how much I appreciate the help, Bryan

mostiguy · ‎06-04-2004

with the input and crc errors on the outside interface, I would try configuring it for half duplex or auto (but I don't recall if that is allowed on the outside int of a 501).

clear interface will clear the interface error counts, IIRC. do that, then run the speed test, then sho int to see if the error count jumped up

eleibowitz · ‎06-04-2004

You can configure the outside interface speed and duplex on the 501. I have found that using auto can be problematic unless both ends of the link are Cisco devices and both interfaces are set to auto. Otherwise, it is better to go with either 10Mbps half (10baset) or 100Mbps full (100full).

bryweb · ‎06-04-2004

Thank you for your responses, but today I got my hands on another Pix 501, and it worked perfectly on the first try with nearly no speed loss (pushing over 20Mbit in both directions), Apparently I have been fighting on and off for 6 months to get the pix to work, only to find out I got a Bad pix, which unfortunately is out of warranty now, Kind of disappointed with the 6 month from production or 3 month from purchase warranty, I think it stinks for a high end product like Cisco, Oh well, $400 down the drain (Unless someone has an idea what circutry needs to be replaced or where I can get it repaired), teach me not to call tech support on the first signs of trouble - damn pride, I really appreciate everyones help in trying to resolve my problems, and sorry for the above Rant! Thanks Bryan

ehirsel · ‎06-05-2004

Glad to hear that your problem was fixed. Out of curiosity, are you using the same cat5 cables with the new pix, or a different set? If you are using another set, or at least a new one to the provider connection, it could be a cabling issue.

bryweb · ‎06-06-2004

Only item changed was the Pix501 itself, all cables, power supply and such were the same.

Thanks for the help,

Bryan