PIX bandwidth throttling / prioritizing

Posted on 2008-10-16
Medium Priority
Last Modified: 2012-05-05
Hello Experts

We frequently have to send email fanouts to large lists.  When we do our Internet access is lost for hours because our Exchange 2007 SP1 server is using all of the available outbound bandwidth.  Our firewall is a PIX 515 v8.0(2) with ASDM v6.0(2).

I have tried giving tcp/80 priority and I have tried throttling tcp/25 in the PIX but neither seemed to work.  Can someone give me step by step instructions on how to allow http/https traffic through the firewall when these fanouts are happening?  Please provide instructions for use with ASDM.  I am not a command line person.

If someone can tell me how to limit bandwidth usage in Exchange that would work too.
Question by:cmartell
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 15

Expert Comment

ID: 22735208
The other solution I use is to use an application like ADR (Advanced Direct Remailer) the application supports bandwidth throttling so it can for instance send 20 messages at one time so it does not max out your DSL. Additionally it uses its own SMTP engine freeing your Exchange Server for other messaging tasks.

Author Comment

ID: 22735333
Thanks Johan but I'm not looking for a client side solution.  I never know who is going to be sending the fanout so I wouldn't know where to install it anyway.

Ideally I would like to throttle the bandwidth on the Exchange server.  If I can't do that then I would like to configure the PIX to give web traffic higher priority or if that can't be done configure it so that smtp doesn't take more than half of the available bandwidth.

Accepted Solution

leonjs earned 1320 total points
ID: 22749288
I am more of a ASA guy but  can you tell me what value you put in for policing port 25? 100K 90k?  Also what interface did you apply the policy to ? I beleive it needs to be applied to the egress interface.

Remember the pix/asa weren't designed for QOS the router was and it has alot more features. Very easy for you to specific in the router that when network traffic is congested port 25 is not allowed to use more then 20% of the bandwidth for example, and when there is no congestion everything goes back to normal. If you find no luck making this work on the pix i would experiment with the router.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 22760305
Thanks leonjs.  I haven't had a chance to verify this yet but I think you have pointed me in the right direction.  I had the policy applied to the inside interface policing inbound traffic and I think it needs to be on the outside interface policing outbound traffic.  Although the article below doesn't specify that the policy has to be specified on the outside interface, all of their examples are on the outside.  The article does mention that the policy has to be applied to outbound traffic though.  I will let you know if it works when we do our next fanout.

With regards to your question, I have limited outbound smtp traffic to 200k.  When the fanouts were saturating the bandwidth the PIX showed 600k of outbound traffic.

Expert Comment

ID: 22760419
Next time a fan out occurs I strongly suggest you use this show command " show service-policy police"  It will show you packets being dropped as a result of your configurations.  

Very useful in verifying whether you've done the right thing.  I am pretty sure that command works on the PIX (I hate the finesse os) but i know it works on the asa.  good luck


Author Closing Comment

ID: 31506875
Doing another fanout right now and it appears moving the policy to the outside interface and outgoing traffic solved the problem.  Thanks for your help leonjs.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
New style of hardware planning for Microsoft Exchange server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question