Slow DMZ on Cisco Pix 515

I am experiencing slow performance on my Pix 515's DMZ. Transfering files from server to server on DMZ is fast. Lan to and from DMZ is very slow (200KB/s and 40KB/s), same with Outside to and from DMZ. All ports are set to 100Full on the Pix, on the Switches, and on the Servers.
lmmeysenburgAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

debuggerauCommented:
Are you getting many errors in your syslog?

Hows the processor utilization?

Memory spare?

Do you run ASDM?
running the latest version of firmware and PDM?

How many connections are you supporting?
Try a show xlate and see how many nat connections are currently active...

Try posting a 'show tech' for an examination...

Have you tried a cold boot and then tested?
0
lmmeysenburgAuthor Commented:
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 failover security99
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname fw
domain-name xxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list SIGMA permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list nonat permit ip host 192.168.5.2 192.168.6.0 255.255.255.0
access-list nonat permit ip host 192.168.5.3 192.168.6.0 255.255.255.0
access-list nonat permit ip host 192.168.5.6 192.168.6.0 255.255.255.0
access-list nonat permit ip host 192.168.5.12 192.168.6.0 255.255.255.0
access-list nonat permit ip host 192.168.5.10 192.168.6.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list VPNRADIUSACL permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 80 permit ip 192.168.5.0 255.255.255.0 192.168.123.0 255.255.255.0
pager lines 19
logging on
logging timestamp
logging console warnings
logging buffered errors
logging trap debugging
logging history debugging
logging facility 23
logging host inside 192.168.5.10
no logging message 106014
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu failover 1500
ip address outside x.x.x.126 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
ip address dmz 192.168.6.1 255.255.255.0
no ip address intf3
no ip address intf4
ip address failover 192.168.254.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNClientPool 192.168.15.10-192.168.15.20
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.124
failover ip address inside 192.168.5.254
failover ip address dmz 192.168.6.254
no failover ip address intf3
no failover ip address intf4
failover ip address failover 192.168.254.2
failover link failover
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.5.4 12.22.182.98 255.255.255.255
alias (inside) 192.168.5.10 12.22.182.99 255.255.255.255
alias (inside) x.x.x.100 192.168.6.100 255.255.255.255
alias (inside) x.x.x.101 192.168.6.101 255.255.255.255
alias (inside) x.x.x.102 192.168.6.102 255.255.255.255
static (inside,outside) x.x.x.99 192.168.5.10 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.120 192.168.6.120 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.121 192.168.6.121 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.98 192.168.5.4 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.100 192.168.6.100 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.101 192.168.6.101 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.102 192.168.6.102 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.5.2 eq ldap any
conduit permit udp host 192.168.5.2 eq 389 any
conduit permit tcp host 192.168.5.3 eq ldap any
conduit permit udp host 192.168.5.3 eq 389 any
conduit permit udp host 192.168.5.2 eq 88 any
conduit permit udp host 192.168.5.3 eq 88 any
conduit permit tcp host 192.168.5.2 eq 135 any
conduit permit tcp host 192.168.5.3 eq 135 any
conduit permit tcp host 192.168.5.2 eq 445 any
conduit permit tcp host 192.168.5.3 eq 445 any
conduit permit tcp host 192.168.5.2 eq 1025 any
conduit permit tcp host 192.168.5.3 eq 1025 any
conduit permit udp host 192.168.5.2 eq domain any
conduit permit udp host 192.168.5.3 eq domain any
conduit permit udp host 192.168.5.2 eq ntp any
conduit permit udp host 192.168.5.3 eq ntp any
conduit permit tcp host 192.168.5.6 eq 3306 any
conduit permit tcp host 192.168.5.6 eq www any
conduit permit tcp host 192.168.5.12 eq smtp any
conduit permit tcp host 192.168.5.2 eq domain any
conduit permit tcp host 192.168.5.3 eq domain any
conduit permit tcp host 192.168.5.12 eq 50389 any
conduit permit tcp host 192.168.5.12 eq 50636 any
conduit permit tcp host 192.168.5.12 eq 3389 any
conduit permit tcp host 192.168.5.10 eq smtp any
conduit permit tcp host x.x.x.99 eq smtp any
conduit permit tcp host x.x.x.121 eq 5222 any
conduit permit tcp host x.x.x.121 eq 5223 any
conduit permit tcp host x.x.x.121 eq 5269 any
conduit permit tcp host x.x.x.121 eq 7777 any
conduit permit udp host x.x.x.121 eq 7777 any
conduit permit tcp host x.x.x.120 eq smtp any
conduit permit tcp host x.x.x.100 eq www any
conduit permit tcp host x.x.x.100 eq ftp any
conduit permit tcp host x.x.x.100 eq domain any
conduit permit udp host x.x.x.100 eq domain any
conduit permit tcp host x.x.x.100 eq smtp any
conduit permit tcp host x.x.x.100 eq pop3 any
conduit permit tcp host x.x.x.100 eq imap4 any
conduit permit tcp host x.x.x.100 eq 50000 any
conduit permit tcp host x.x.x.100 eq 50001 any
conduit permit tcp host x.x.x.100 eq 50002 any
conduit permit tcp host x.x.x.100 eq 50003 any
conduit permit tcp host x.x.x.100 eq 50004 any
conduit permit tcp host x.x.x.100 eq 50005 any
conduit permit tcp host x.x.x.101 eq www any
conduit permit tcp host x.x.x.101 eq ftp any
conduit permit tcp host x.x.x.101 eq domain any
conduit permit udp host x.x.x.101 eq domain any
conduit permit tcp host x.x.x.102 eq ftp any
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.5.69 255.255.255.255 inside
snmp-server host outside x.x.x.200
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxxxxxx
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap 10 set transform-set ESP-AES-256
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VpnMap 10 ipsec-isakmp
crypto map VpnMap 10 match address SIGMA
crypto map VpnMap 10 set peer x.x.x.143
crypto map VpnMap 10 set transform-set ESP-3DES-SHA
crypto map VpnMap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map VpnMap 20 ipsec-isakmp
crypto map VpnMap 20 match address 80
crypto map VpnMap 20 set peer x.x.x.218
crypto map VpnMap 20 set transform-set strong
crypto map VpnMap 9999 ipsec-isakmp dynamic dynmap
crypto map VpnMap interface outside
isakmp enable outside
isakmp key XXXXXXXXX address x.x.x.143 netmask 255.255.255.255
isakmp key XXXXXXXXX address x.x.x.218 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 9999 authentication pre-share
isakmp policy 9999 encryption aes-256
isakmp policy 9999 hash sha
isakmp policy 9999 group 2
isakmp policy 9999 lifetime 86400
vpngroup SupportVPN address-pool VPNClientPool
vpngroup SupportVPN dns-server 192.168.5.2 192.168.5.3
vpngroup SupportVPN default-domain xxxxxxx.local
vpngroup SupportVPN split-tunnel VPNRADIUSACL
vpngroup SupportVPN idle-time 3600
vpngroup SupportVPN password XXXXX
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:
0
lmmeysenburgAuthor Commented:
I am getting no errors in my syslog. Processor usage is less then 5%. Memory usage is less than half. Have rebooted many times. This has been an on-going issue I have just been putting up with for atleast the last 3 months.
0
debuggerauCommented:
thats a lot of interfaces...
and failover too...

But the first two ports appear not to be 100 full, they are marked as 10baset..
A full show tech will give connection stats also...

0
lmmeysenburgAuthor Commented:
Problem was related to software on server connected to DMZ. Problem has been fixed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.