Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix response delay

Status
Not open for further replies.
KeithCO

KeithCO

IS-IT--Management
Jul 17, 2002
1
US
Is it common to see a 150ms delay accross a Pix 506E?
I have an external subnet (Public IP) then the Pix and then an internal subnet (Private IP). I am using NAT overload for some of the internal hosts and static NAT for a couple internal servers. When I ping my web server in the external subnet from the internet I see an average delay of 46ms. When I ping a statically mapped(NAT) address on the internal LAN I see an average delay of 196ms. Below are some of the performance outputs from the Pix.

Wall# show cpu usage
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

Wall# show perfmon

PERFMON STATS: Current Average
Xlates 1/s 0/s
Connections 1/s 0/s
TCP Conns 1/s 0/s
UDP Conns 0/s 0/s
URL Access 1/s 0/s
WebSns Req 0/s 0/s
TCP Fixup 23/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 22/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s

wall# show mem
33554432 bytes total, 18264064 bytes free

The Pix does not seem to be overwhelmed. Is there a configuration issue that is causing this or is it just the nature of NAT/Firewall.

Thanks,

Keith
 
Sort by date Sort by votes
What if you ping from the webserver and the NATted server
to an outside public address? Do their times correspond
with the incoming times?

How about a trace from inside - out and outside - in - see
where things slow down.

Also - what is the workload of the servers themselves?

Are your servers in a sitched environment and are they all
set properly for speed/duplex trunking etc?

Is the switch/hub they are connected to overloaded?

How about your overall bandwidth used?
Do a Show Traffic

Assuming you have a T1 line, you should pass
approximately .98 times the following numbers through your
PIX in the given amounts of time taking into account Ciscos
1002 bytes in 1 packet per second and 1024 bits in a byte.


T1 = 1.544Mbps
1 Mb = 1048576 bits
25% loss for TCP overhead
148.224 kilobytes per second
say .150 megabyte per second
8.685 megabyte per minute
43.425 megabyte in five minutes
521.1 Megabyte per hour
12506.4 megabyte per day
12.21328125 gigabyte per day
85.49296875 gigabyte per week
366.3984375 gigabyte per month
"If you lived here, you'd be home by now!"

George Carlin
 
Upvote 0 Downvote
HI.

ICMP is very tricky with the pix.
If I'm not mistaking, the pix itself is answering the ICMP (proxy arp) instead of simply forwarding it to the host.
So the delay is probably caused by additional processing and timeouts at the pix, but does not represent the real world performance.

A more relevant test is to check throughput via the pix, or to make some tests using TCP instead of ICMP.

You can use my free KIT utility - it was not designed for that task but it can time TCP connections and can be used to compare connections via or bypassing the pix.
For bypassing the pix, use a router, so the number of hops will be the same as via the pix.
My main web site is currently down but you can find the utility here:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
216
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
266
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
429
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
198
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
183
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top