Slow traffic between interfaces on a PIX 525

snowvalley · ‎09-09-2005

I'm currently deploying a new site which includes a pair of PIX 525 in a active/passive failover configuration, they are running software version 7.0(1).

The PIX's have 3 network cards, configured as follows:

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address <externalIP> 255.255.254.0 standby <externalStandby>

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.0.1 255.255.0.0 standby 192.168.0.2

!

interface Ethernet2

speed 100

duplex full

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.0.0 standby 172.16.0.2

The VLAN outside the firewall, and the VLAN's that comprise the inside and DMZ networks are all gigabit capable, and most of the servers connected are running 1000MB full duplex.

Traffic between servers on the same VLAN is blindingly fast as you would expect, however traffic from the inside network to the DMZ network never seems to top 5MB's. I've currently enabled rules to allow all traffic between the inside and DMZ networks, and have disabled NAT for traffic between the two.

sh interface doesn't show anything obviously wrong (I've removed the outside statistics for post length reasons):

Interface Ethernet1 "inside", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 0014.6996.525f, MTU 1500

IP address 192.168.0.1, subnet mask 255.255.0.0

21526309 packets input, 2743022502 bytes, 0 no buffer

Received 14621 broadcasts, 2813 runts, 0 giants

14073 input errors, 14073 CRC, 0 frame, 0 overrun, 14073 ignored, 0 abort

22600778 packets output, 20677698986 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/19)

output queue (curr/max blocks): hardware (0/19) software (0/3)

Received 21524391 VLAN untagged packets, 2404304907 bytes

Transmitted 22615192 VLAN untagged packets, 20341972637 bytes

Dropped 20490 VLAN untagged packets

Interface Ethernet2 "DMZ", is up, line protocol is up

Hardware is i82559, BW 100 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 000e.0c7e.f8da, MTU 1500

IP address 172.16.0.1, subnet mask 255.255.0.0

22184403 packets input, 20553542713 bytes, 0 no buffer

Received 6757 broadcasts, 3141 runts, 0 giants

17246 input errors, 17246 CRC, 0 frame, 0 overrun, 17246 ignored, 0 abort

20786779 packets output, 2712512335 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/10)

output queue (curr/max blocks): hardware (0/9) software (0/3)

Received 22178902 VLAN untagged packets, 20233593375 bytes

Transmitted 20801409 VLAN untagged packets, 2359640696 bytes

Dropped 29592 VLAN untagged packets

Does anyone have any ideas why this traffic is so slow? the input queue hardware (128/128) seems to be the only candidate to me.

smalkeric · ‎09-15-2005

Your output shows some CRC errors and input drops. In how much time did the interface gather these errors and drops? In other words, clear the interface counters and then check these numbers. If they increment very fast, then it indicates an issue.

Patrick Iseli · ‎09-15-2005

Check your Duplex and interface speed settings on the Switch and the Firewall. Usually performance problem are caused by duplex problems.

Example switch uses half-duplex and Firewall full-duplex.

Set both of them fix or set them to auto depending on your options.

sincerely

Patrick

serge.prevone · ‎09-15-2005

fix also the speed of your switch to 100 full