Set default gateway to router or pix make huge performance difference.

[AgentK]

Hi, we recently deploy pix 501 in a remote office and creating site-t0-site vpn connection to HQ in an attempt to tear down the point-to-point t1- saving cost, everything work okay, except when client on hq access services like http or ftp or smtp, it is so so slow{painting screen}. The temp work-around solution is that we changed the default gateway that current pointing to the router to the pix's inside address, the speed is noticeable faster.

This is workable solution but we have a quite number of devices that we need to change manually since 90% of node are statically ip assigned.

Any hint or suggestion is appreciated.

Thanks in advance for your tim.e

K.

 

[NetworkGhost]

When going to the remote site with the router as the default gateway are you using the PIX or Router?

Is the Router setup to reroute traffic through the PIX?


Whats the response time to the remote site in both situations?

Try pinging with default gateway router:

ping x.x.x.x -n 50

and then set it to the PIX:

ping x.x.x.x -n 50

Also get a traceroute for both scenarios. Post the results.

http://www.wr-mem.com

 

[AgentK]

Thanks Network G.
I am sure about the 1st question but router has default route everything to the firewall.

Router response time is 49/48/46 ms (high/averge/low)
Firewall reponse time is 46/45/43 ms

***router trace result****

F:\>tracert 172.16.16.1

Tracing route to DC16router.posplus.com [172.16.16.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms hq.posplus.com [192.168.244.1]
2 <1 ms <1 ms <1 ms corpinternet.posplus.com [192.168.249.6]
3 49 ms 49 ms 60 ms DC16router.posplus.com [172.16.16.1]

Trace complete.

F:\>tracert 172.16.16.10

Tracing route to 192.168.16.10 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms hq.posplus.com[192.168.244.1]
2 <1 ms <1 ms <1 ms corpinternet.posplus.com [192.168.249.6]
3 46 ms 46 ms 46 ms DC16firewall.posplus.com [172.16.16.10]

Trace complete.

F:\>

 

[AgentK]

We noted there a lot crc errors on the interface, I will replace the cable or swap switch port # to see if it help.

Thanks,


**********
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0001.963c.82e0 (bia 0001.963c.82e0)
Description: Connected to store 16 LAN
Internet address is 172.16.16.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 252/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/89/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 27000 bits/sec, 9 packets/sec
5 minute output rate 30000 bits/sec, 10 packets/sec
1578513 packets input, 556222978 bytes, 0 no buffer
Received 48900 broadcasts, 0 runts, 0 giants, 0 throttles
57534 input errors, 57532 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
1597098 packets output, 563308737 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

 

[NetworkGhost]

May want to clear the counters on that interface if you havent already.

http://www.wr-mem.com