PIX bandwidth throttling / prioritizing

Posted on 2008-10-16
Last Modified: 2012-05-05
Hello Experts

We frequently have to send email fanouts to large lists.  When we do our Internet access is lost for hours because our Exchange 2007 SP1 server is using all of the available outbound bandwidth.  Our firewall is a PIX 515 v8.0(2) with ASDM v6.0(2).

I have tried giving tcp/80 priority and I have tried throttling tcp/25 in the PIX but neither seemed to work.  Can someone give me step by step instructions on how to allow http/https traffic through the firewall when these fanouts are happening?  Please provide instructions for use with ASDM.  I am not a command line person.

If someone can tell me how to limit bandwidth usage in Exchange that would work too.
Question by:cmartell
  • 3
  • 2
LVL 15

Expert Comment

by:It breaks therefore I am
ID: 22735208
The other solution I use is to use an application like ADR (Advanced Direct Remailer) the application supports bandwidth throttling so it can for instance send 20 messages at one time so it does not max out your DSL. Additionally it uses its own SMTP engine freeing your Exchange Server for other messaging tasks.

Author Comment

ID: 22735333
Thanks Johan but I'm not looking for a client side solution.  I never know who is going to be sending the fanout so I wouldn't know where to install it anyway.

Ideally I would like to throttle the bandwidth on the Exchange server.  If I can't do that then I would like to configure the PIX to give web traffic higher priority or if that can't be done configure it so that smtp doesn't take more than half of the available bandwidth.

Accepted Solution

leonjs earned 330 total points
ID: 22749288
I am more of a ASA guy but  can you tell me what value you put in for policing port 25? 100K 90k?  Also what interface did you apply the policy to ? I beleive it needs to be applied to the egress interface.

Remember the pix/asa weren't designed for QOS the router was and it has alot more features. Very easy for you to specific in the router that when network traffic is congested port 25 is not allowed to use more then 20% of the bandwidth for example, and when there is no congestion everything goes back to normal. If you find no luck making this work on the pix i would experiment with the router.
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.


Author Comment

ID: 22760305
Thanks leonjs.  I haven't had a chance to verify this yet but I think you have pointed me in the right direction.  I had the policy applied to the inside interface policing inbound traffic and I think it needs to be on the outside interface policing outbound traffic.  Although the article below doesn't specify that the policy has to be specified on the outside interface, all of their examples are on the outside.  The article does mention that the policy has to be applied to outbound traffic though.  I will let you know if it works when we do our next fanout.

With regards to your question, I have limited outbound smtp traffic to 200k.  When the fanouts were saturating the bandwidth the PIX showed 600k of outbound traffic.

Expert Comment

ID: 22760419
Next time a fan out occurs I strongly suggest you use this show command " show service-policy police"  It will show you packets being dropped as a result of your configurations.  

Very useful in verifying whether you've done the right thing.  I am pretty sure that command works on the PIX (I hate the finesse os) but i know it works on the asa.  good luck


Author Closing Comment

ID: 31506875
Doing another fanout right now and it appears moving the policy to the outside interface and outgoing traffic solved the problem.  Thanks for your help leonjs.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Find out what you should include to make the best professional email signature for your organization.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question