Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3498
Views
31
Helpful
34
Replies

PIX 515E slow http from inside to dmz network

kvoelker2000
Level 1
Level 1

‎10-17-2012 04:27 PM - edited ‎03-11-2019 05:11 PM

                  I have a PIX 515E V7.0.4 and I'm having trouble with http access between the inside interface and a DMZ zone I have.  I have a web server setup in the DMZ with an web interface to upload/download files.  I can connect to this interface from a workstation in the inside network but when I try to download a file it is incredibly slow.  If I upload a file there are no speed issues.  If I connect using an https connection then both upload and downloads are at speeds I would expect.

I have disabled http inspect but this didn't improve the speed connection.

Other http communications from inside to outside do not have any speed issues in either direction.

Any thoughts or suggestions appreciated.

Thanks,

Karl

Labels:
0 Helpful
34 Replies 34

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kvoelker2000

‎10-24-2012 10:28 AM

Hello,

But you told me you do not see the latency when the traffic comes from outside to the HTTP server on the dmz? Is that correct?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kvoelker2000
Level 1
Level 1
In response to Julio Carvajal

‎10-24-2012 11:51 AM

No,  web traffic from the outside to the server in the DMZ is that same as from the inside net.  Fast upload but slow download.  Other traffic to this server,  SMB, FTP, whether from the outside or inside works fine in both directions.  It appears to just affect http traffic in the DMZ zone.

Karl

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kvoelker2000

‎10-24-2012 12:59 PM

Hello,

Got you know!

Okay first of all the PIX will handle all the HTTP connections on the same way. No additional inspection will be add it if the traffic goes to the DMZ. So right now again it looks like something else but first I need to probe you that.

Can you connect at least the DMZ server directly to the ASA DMZ interface and try a quick test?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

kvoelker2000
Level 1
Level 1
In response to Julio Carvajal

‎10-24-2012 01:43 PM

Same situation as far as getting approval.  The DMZ is our portal for external users and customers.  Taking this down, even only briefly, will take some time for me to schedule.  Are you trying to rule the 3Com switch as the problem?  I am planning on replacing it, with a 3560G, and could probably schedule that in the next couple days.  

Curious where you think the problem may be.

Thanks,

Karl

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kvoelker2000

‎10-24-2012 01:47 PM

Hello,

I know but right now I can ensure that the PIX will handle traffic equally unless not configured like that, right now you have a basic setup so nothing is being changed, I saw that over the captures. Traffic are getting lost and not across the PIX.

So that is good, please keep us posted!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card