Pix 515E UR Bundle is degrading performance badly

dennylester · ‎07-05-2005

We just implemented a Pix 515E FOS version 6.3(4). Connected to one interface is a router which ties in all of our remote sites via a frame relay cloud. Our Terminal servers are connected to another Interface. Our database servers behind another. Our DMZ behind another and finally our Internet on the outside interface.

Since implementing this over the weekend, the applications running on the Terminal Servers have taken a severe impact when accessing the database. I'd say response times have degraded by as much as 50% in some cases. Other times things run fine. It's very up and down. When the Terminal Servers print to the 100+ Jet Directs connected at the remote sites, the jobs now hang half way through printing, then resume, then hang, then resume.

I'm at a total loss. I was the one who recommended the Pix over some of the others out there and now my boss is constantly asking me what the problem is.

I've checked the Pix CPU Usage and it's around 3%, which tells me the Pix is hardly breaking a sweat. What else can I check? Everything does run, which tells me the proper ports are open, it just really drags at times. No errors in the Windows event logs.

I put a post in the MS Sql servers group and someone responded with, it is to be expected since the inspection of the packets takes time. I never considered the Pix was this slow.

Any thought on this? Please.

Denny

ehirsel · ‎07-06-2005

Please check these two things and let me know what you find:

1. Insure that all pix interfaces and the switch ports that they connect to are not set to autonegotiate. If any are set to auto, explicitly set the speed and duplex settings on both ends.

2. Run the show icmp command on the pix and post the results here. Also note if any connection to a remote site is via a vpn, or if GRE is used (or both). Path mtu discovery may not be working properly and cause what you are seeing.

dennylester · ‎07-06-2005

The SHOW ICMP command returns nothing.

I think you pointed me in the right direction with the port settings. I just noticed one of my fiber transceivers is running in full duplex while the other is running in half duplex. The port that ties all the servers in is running in half duplex.

The port settings crossed my mind when I hooked this all up but I never followed through on checking the settings.. I should have known better.

Once I make the settings change I'll post the results back here.

Thank you so much,

Denny

cloun81 · ‎07-06-2005

I have the same problem.

I have three networks outside (Internet), DMZ, Inside (LAN). DMZ has Web servers like WWW, FTP, Mail.

I'm using nat exemption between Inside and DMZ interface and nat static translation without changes of IPs.

If I make one download from DMZ to Inside (ftp or samba) speed is about 25 Mbit/s on interface. If I make one more download from DMZ to Inside speed is falling to about 16 Mbit/s. If I make upload from Inside to DMZ at the same time speed is falling to about 3-4 Mbit/s in two ways. CPU load is 2-3 %.

Speed must be near 90 Mbit/s, I think. And no degrade in case with some loading threads.

Manual speed and duplex setting make no change in speed.

I need solution to speed up.

Evgeniy

dennylester · ‎07-07-2005

Just wanted to let you know the duplex setting was the issue for us. The Pix auto set some ports to half while the port it was plugged into on the switch was running at full. I also had another duplex mismatch between the Pix and our fiber media converters.

I locked everything in at 100Full and had to power cycle the media converters before they would accept the full duplex setting. After that, our network seems to be running better than before we implemented the Pix.

I take back everything I thought about the Pix (so far that is)..

Thank you again,

Denny