ANy high volume PIX admins out there?

I'm looking to compare notes with a high volume PIX admin out there.

We have tracked down performance issues on our 535. One, according to Cisco, appears to be a bug in 7.02, which they are examining.

However we are seeing a reduction in throughput from inside to outside by about 50%. Trying to get a vendor to work on optimizatio of their product is usually infuriating work, so I figured I'd try to see if this is a common issue.

At a previous company they attempted to put a 525 between app servers and their databases and it slowed the website down by 20%. Cisco VARs could not explain or fix the performance hit and the PIX implementation was aborted.

I'm now working on a PIX 535. We setup a latop on the outside with IIS running and if we attempt to grab a file via http on the outside we get about 1000Kb/s throughput. If we move the laptop on the LAN on the inside we get less than 500kb/s throughput. We've verified all the network connections for errors both from the pix and the switches and no luck finding something nice and obvious yet.

This is the second time we found clear evidence of significant througput reduction(throttling) when using a PIX.

If I do a SHO PERFMON we have the following high stats. 6000-12000 TCP Fixups/s 5900-11800 HTTP Fixups/s

SHO PERFMON shows you a momentarily stat, so you can reissue repeatedly and see a range. The AVERAGE and history for PERFMON stats is apparently broken in 7.02.

Anybody out there with these kind of volumes going through a PIX???

I'm curious to find similar PIX owners to compare notes with.

Reply to
DigitalVinyl
Loading thread data ...

In article , DigitalVinyl wrote: :I'm now working on a PIX 535. We setup a latop on the outside with IIS :running and if we attempt to grab a file via http on the outside we :get about 1000Kb/s throughput.

Really? You get gigabit throughput to a laptop? My understanding was that you need some pretty well designed machines to get more than about 300 kilobits per second out of a gigabit pipe.

:If we move the laptop on the LAN on the :inside we get less than 500kb/s throughput. We've verified all the :network connections for errors both from the pix and the switches and :no luck finding something nice and obvious yet.

According to the spec sheet, the PIX 535 has four 66 MHz/64 bit slots and five 33 MHz/32 bit slots.

There is a PCI throughput analysis at

formatting link
2 and Tab 3 show the maximum achievable bandwidth at

33 MHz / 32 bit. Note in particular the "Integer Load" rate on Table 2, and the 4 and 8 byte read rates in Table 3. If you take the 8 byte read rate (15 Mbyte/second), double that twice to go to 64 bit and 66 MHz, and convert to bits, you get 480 megabits/second maximum throughput -- and as long as you are working with integer values, you can't do significantly better unless you use a mode such as PCI Copyback.

So... unless Cisco can happen to take advantage of some sophisticated burst modes with the data aligned just right [not the most likely of events for variable-length packets...] then the speeds you are seeing are to be expected.

If you need true gigabit throughput, then you should be going into the FWSM (Firewall Services Module) on a 6500 switch or 7600 router, which do not use PCI slots.

Reply to
Walter Roberson

Try turning http fixups off & then benchmark for a compare and contrast.

greg

Reply to
Greg Hennessy

1,000 kilobits is 1 megabit/s. Gigabit is 1,000,000 kilobits/s. 1mbit/s isn't much and the laptop consistently delivered that minimal speed or better across the LAN.

The interfaces are reaching peaks of just over 110 megabits/s and we are seeing obvious measure throughput decreases.

We have another set of firewalls which we may re-deploy to distribute loads, but this throuput issue occurs at 4am when the fw is passing only 20megabits/sec.

Reply to
DigitalVinyl

We are scheduling that. Cisco is investigating a http fixup slowdown, in ADDITION to the slowdown I am researching. We suffer a 50% reduction going through the firewall. If we go thru on port 80 (http fixup) we suffer an addition 75% reduction in throughput. Cisco is approaching it as a bug.

However, sadly, Cisco cannot offer us any method of indicating the benefit from http inspections. Fixup is supposed to be inspecting various factors like header formation and length looking for hacks. However there is no statistic or logging which tracks how many packets have been denied by http inspection. SO I can't offer to management what exposure we are opening our sites up to by disabling this security feature.

We do not use URL fliltering, URL logging or java/active x filters - which are three major functions of fixup.

Reply to
DigitalVinyl

1 k is 1024. 1 meg is 1024 k. 1 gig is 1024 meg.
Reply to
Quaestor

That is the original definition, but it unfortunately depends upon who's doing the math. Marketing has largely replaced that definition.

60 gigabyte drives have 60 billion bytes, not 60 gigbytes. WIndows shows the technical measurement, while they are marketed with the one of convenience.

I have to say I have *NEVER* seen any material that states, authoritatively that 100 megabit ethernet has a capacity of

104,857,600 bits or about 105 megabits(using the marketing defintion).

ANyway the previous poster was confusing scales that were 1000 times different, or 1024 times different, depending.

Reply to
DigitalVinyl

This sounds like a tcp windowing or pmtud issue, what if you set up the following test:

Set the laptop up outside the firewall and download your file via http through the firewall like before, you should get the same results... Next try to stack up about 5 downloads from the same machine, and finally stack about 5 downloads from different machines at the same time.

I would suspect that each of the 5 download speeds would have about the same thouroughput as the first with a greater total sum.

If possible try a UDP transfer, like NFS to see the results.

If the above does show that the total sum can be increased through multiple threads you should be able to tweek your TCP settings to gain better performance. I am running 520's and have been able to get xfers up and over 33Megs, downloading files from outside to the inside.

Wil my 3¢

DigitalV> I'm looking to compare notes with a high volume PIX admin out there. >

Reply to
Wil

I think this has been true with outside services with plenty of capacity. With our test laptop we would have to discover what the limit of it handing the files out is first.

Probably could setup a TFTP service easy enough.

But the question is, could you have acheived 66megs if the firewall wasn't there. Server and client always determine the maximum rate of any transfer. I'm using a mediocre laptop so I don't expect much. Question is why is the pix lowering the throughput so much.

Are you suggesting changing specific TCP settings of the PIX? Cause, last I checked, I can't request that every website in the world and

18,000 user laptops and PCs get tweaked to compensate for our firewall. :-) This slowdown is evident in all traffic. The test case was just to get the problem in focus.
Reply to
DigitalVinyl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.