PIX bandwidth throttling / prioritizing

Posted on 2008-10-16
Last Modified: 2012-05-05
Hello Experts

We frequently have to send email fanouts to large lists.  When we do our Internet access is lost for hours because our Exchange 2007 SP1 server is using all of the available outbound bandwidth.  Our firewall is a PIX 515 v8.0(2) with ASDM v6.0(2).

I have tried giving tcp/80 priority and I have tried throttling tcp/25 in the PIX but neither seemed to work.  Can someone give me step by step instructions on how to allow http/https traffic through the firewall when these fanouts are happening?  Please provide instructions for use with ASDM.  I am not a command line person.

If someone can tell me how to limit bandwidth usage in Exchange that would work too.
Question by:cmartell
  • 3
  • 2
LVL 15

Expert Comment

by:It breaks therefore I am
ID: 22735208
The other solution I use is to use an application like ADR (Advanced Direct Remailer) the application supports bandwidth throttling so it can for instance send 20 messages at one time so it does not max out your DSL. Additionally it uses its own SMTP engine freeing your Exchange Server for other messaging tasks.

Author Comment

ID: 22735333
Thanks Johan but I'm not looking for a client side solution.  I never know who is going to be sending the fanout so I wouldn't know where to install it anyway.

Ideally I would like to throttle the bandwidth on the Exchange server.  If I can't do that then I would like to configure the PIX to give web traffic higher priority or if that can't be done configure it so that smtp doesn't take more than half of the available bandwidth.

Accepted Solution

leonjs earned 330 total points
ID: 22749288
I am more of a ASA guy but  can you tell me what value you put in for policing port 25? 100K 90k?  Also what interface did you apply the policy to ? I beleive it needs to be applied to the egress interface.

Remember the pix/asa weren't designed for QOS the router was and it has alot more features. Very easy for you to specific in the router that when network traffic is congested port 25 is not allowed to use more then 20% of the bandwidth for example, and when there is no congestion everything goes back to normal. If you find no luck making this work on the pix i would experiment with the router.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 22760305
Thanks leonjs.  I haven't had a chance to verify this yet but I think you have pointed me in the right direction.  I had the policy applied to the inside interface policing inbound traffic and I think it needs to be on the outside interface policing outbound traffic.  Although the article below doesn't specify that the policy has to be specified on the outside interface, all of their examples are on the outside.  The article does mention that the policy has to be applied to outbound traffic though.  I will let you know if it works when we do our next fanout.

With regards to your question, I have limited outbound smtp traffic to 200k.  When the fanouts were saturating the bandwidth the PIX showed 600k of outbound traffic.

Expert Comment

ID: 22760419
Next time a fan out occurs I strongly suggest you use this show command " show service-policy police"  It will show you packets being dropped as a result of your configurations.  

Very useful in verifying whether you've done the right thing.  I am pretty sure that command works on the PIX (I hate the finesse os) but i know it works on the asa.  good luck


Author Closing Comment

ID: 31506875
Doing another fanout right now and it appears moving the policy to the outside interface and outgoing traffic solved the problem.  Thanks for your help leonjs.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question