Cisco PIX does not seem to balance traffic well...

[IanGlinka]

Ever since we installed our Cisco PIX 501 a few months back, we have noticed a severe problem with our internet connection. I keep a continual ping going to google.com as a good checkpoint for internet latency. With no traffic, this is usually around 10-20ms.

Whenever anybody initiates a download from the internet, the response time is all but obliterated. If the ping doesn't start timing out (due to the response taking too long), it will sit at around 600-900ms. Any http requests during this time take extremely long times to process. Loading

http://www.google.com

takes upwards around 30 seconds sometimes.

We are running a 768 kbit/sec guaranteed DSL internet connection here. We recently upgraded our PIX to the 506 model. Has anybody else had problems with the PIX handling internet connections poorly?

Also... I've been looking, but I can't find anywhere that will give me a map or printout of which hosts are utilizing what % of my bandwidth. This would be at least helpful in determining if somebody is abusing the internet connection.

Thank you,
Ian

 

[BuckWeet]

Have you ever thought that a 768Kbps pipe isn't that large nowadays.. thats only around 96KB/sec of traffic. Most if not all internet sites can give you speeds at that easily. So when you download, you're killing your downstream.

Also keep this in mind, when the ISP gives you the 768Kbps they're policing the traffic down. So sometimes the pings could get lost in the policing process, or the fact that the buffers are coming into play and the icmp echo-reply might getting held up by other traffic..

BuckWeet

 

[IanGlinka]

I understand roughly 15-20% of bandwidth is consumed by overhead, but even with that into account, simply because one host in my network is downloading from an internet site does not mean the internet should run at 14.4 speeds for the other computers.

A suggestion was offered that perhaps the reason we noticed the load balancing problems with the PIX was that our old Linksys router did not have very much onboard memory. Perhaps the PIX is buffering in much of these downloads into the onboard memory, and treating web traffic much like a traffic light at an intersection.

Since the linksys did not have much onboard memory to buffer downloads, we're thinking that perhaps it did a better job at load balancing, since it didn't queue up traffic requests (because it didn't have the ability to).

 

[chicocouk]

We have a 515 with five users behind it sharing a 2meg DSL pipe. This is shared with approx 60 vpn connections, which we use constantly. We do not have this kind of problem with ping, or with downloads. I've also seen numerous 501s sitting on 512kbp/s dsl connections which also don't demonstrate this behaviour.

Just out of curiousity, what's a "guaranteed" DSL connection? Does that mean you don't share it with any other sites? There's no contention ratio? What's your upstream speed? And what's your router?

As for which hosts are using your bandwidth, you'll need to set up syslogging and then analyse them for utilisation. A free log analyser is available here, if you don't currently have anything to do it;

http://www.reportgen.com/downloads.htm

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[BuckWeet]

Post your config

 

[IanGlinka]

See... our router IS our PIX... am I going to get yelled at for this now?

 

[chicocouk]

No yelling, but a look at the config might help us troubleshoot your problem ... mask off any public ip addresses and passwords etc for your own security, eg x.x.x.48 and so forth

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP