Bottom Line = We are experiencing VERY slow throughput, when going through a 2600, which is acting as a firewall between 2 networks.
Basic configuration = Workstations on Network 1 are connected to the 2600 through a Catalyst 2950, on the Network 2 side the switch is an HP 2524. The firewall allows Network 1 workstations to access Network 2 resources; Network 2 systems have no access to Network 1 resources.
Another 2600 is the main/WAN router on Network 1. That 2600 is configured to direct most Internet traffic through the Firewall 2600, to use Network 2 to access the Internet (because it has a much faster connection) -- only Internet traffic destined for the parent company's internal network goes out through Network 1's WAN link.
What we've done so far = We've tested the throughput "within" each network, and accross the firewall. Within Network 1 we got upload/download speeds of 54/70 Mbps. Within Network 2 we got upload/download speeds of 41/67 Mbps. Accross the firewall, we got upload/download speeds of 0.8/8 Mbps! The Firewall 2600 port utilization never gets very high.
The interfaces on the router and switch have both been set to "auto" negotiation and 100 Mbps/full-duplex -- with no change in the performance. Before hard-coding the interface settings, all interfaces were indicated as having set themselves to 100MB/FDx mode.
Does anyone have any clues as to what we should look at next?
Thanks for your guidance,
can you check if there are any processes on the router that are using up a lot of CPU (show proc cpu) ? Also, try and turn on CEF (´ip cef´ globally) and see if that makes a difference.
Can you post the configuration of your router ?
Sounds like you are process switching.
see this link for speeds on process switching for the 2600
I'd replace the firewall 2600 with a dedicated firewall.
Also make sure you don't have any debug and logging processes runing. If you must have logging see if you cant let a box handle it.
Also I have experienced this with a 2621 router and it was because I had multiple instances of authentication running. The 2600 series routers are rather old and cant handle the load very well.