01-22-2024 05:54 AM
Hi,
Having an issue with slow file transfer speeds between servers in seperate vlans on a 5508-x and am wondering if there is anything that can be done to help?
Servers plug into Cisco 2960 switches and duplex auto/auto at 1Gbps
Servers in the DMZ vlan will only transfer files to servers in the TRU vlan at a max of 14MB/s (and vise versa)
Servers sending same file in the same vlan transfers at speeds expected of 1000F - 113MB/s
Only when the firewall gets involved for inter vlan traffic are we seeing massivly degraded file transfer speeds.
The networks are configured on the firewall as sub interfaces on the same physical interface
Anybody offer any pearls of wisdom please on either troubleshooting this further or things to try to improve?
Many Thanks
01-22-2024 06:02 AM
Intra VLAN not inspect by the ASA
Inter VLAN (and ASA is GW) is inspection by ASA and this slow down transfer speed (but not these much).
Did you check the tcp mss size in asa it can small size lead to slow transfer.
MHM
01-22-2024 06:33 AM
Hello,
post the full running config, maybe we can spot something ? Is that a 5508-X with FirePower ?
01-22-2024 06:56 AM
Possibly others will suggest something to boost FW throughput.
Otherwise you may need to consider replacing the FW with a faster FW or selectively (and very carefully) bypass FW for some inside<>DMZ traffic.
BTW some 2960 models support limited routing.
01-25-2024 02:32 AM - edited 01-25-2024 02:33 AM
Apologies for the silence.
So we dug into this a bit more and when excluding 2 test hosts, 1 in each vlan from going through FirePower we got throughput at gigabit lan speeds - 113MB's on a file transfer, when dmz->tru vlan traffic going through firepower we see file transfer speeds dramatically reduced to 14MB/s
We have SSRS and web sites on the DMZ vlan and SQL on the TRU vlan.
Obv the gung-ho approach would be to exclude these hosts from going through the firepower - i feel like this is like taking a gun to a fist fight though and wouldnt be best practice?
Can you exclude certain protocols or ports only from going through the FirePower rather than entire hosts?
What would be the best approach in this scenario from a security point of view?
The firewall is the gateway for their respective vlans
Appreciate in adavnce any imput recieved.
Many Thanks
01-25-2024 02:46 AM
If yoh have router or l3SW then you can make them direct connect and traffic not pass via ASA
This done by change GW in both host to point to router or l3sw instead of pointing toward the ASA
MHM
01-25-2024 03:06 AM
Hello,
throughput under normal circumstances should be at least a lot higher than 14mb/s. It could be the MTU settings. As asked, if you post the full config, we can check and maybe we can spot something...
01-25-2024 10:11 AM
@thomo2710 wrote:
What would be the best approach in this scenario from a security point of view?
Most security folk, I suspect, would recommend to continue to use the FW, as security is what they do well.
So again, if the FW is a bottleneck, and you cannot find a way to easily increase its throughput, and if you want much more throughput, either you need a FW with more capacity or you need to bypass it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide