PIX bandwidth throttling / prioritizing

Posted on 2008-10-16
Last Modified: 2012-05-05
Hello Experts

We frequently have to send email fanouts to large lists.  When we do our Internet access is lost for hours because our Exchange 2007 SP1 server is using all of the available outbound bandwidth.  Our firewall is a PIX 515 v8.0(2) with ASDM v6.0(2).

I have tried giving tcp/80 priority and I have tried throttling tcp/25 in the PIX but neither seemed to work.  Can someone give me step by step instructions on how to allow http/https traffic through the firewall when these fanouts are happening?  Please provide instructions for use with ASDM.  I am not a command line person.

If someone can tell me how to limit bandwidth usage in Exchange that would work too.
Question by:cmartell
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 15

Expert Comment

by:It breaks therefore I am
ID: 22735208
The other solution I use is to use an application like ADR (Advanced Direct Remailer) the application supports bandwidth throttling so it can for instance send 20 messages at one time so it does not max out your DSL. Additionally it uses its own SMTP engine freeing your Exchange Server for other messaging tasks.

Author Comment

ID: 22735333
Thanks Johan but I'm not looking for a client side solution.  I never know who is going to be sending the fanout so I wouldn't know where to install it anyway.

Ideally I would like to throttle the bandwidth on the Exchange server.  If I can't do that then I would like to configure the PIX to give web traffic higher priority or if that can't be done configure it so that smtp doesn't take more than half of the available bandwidth.

Accepted Solution

leonjs earned 330 total points
ID: 22749288
I am more of a ASA guy but  can you tell me what value you put in for policing port 25? 100K 90k?  Also what interface did you apply the policy to ? I beleive it needs to be applied to the egress interface.

Remember the pix/asa weren't designed for QOS the router was and it has alot more features. Very easy for you to specific in the router that when network traffic is congested port 25 is not allowed to use more then 20% of the bandwidth for example, and when there is no congestion everything goes back to normal. If you find no luck making this work on the pix i would experiment with the router.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.


Author Comment

ID: 22760305
Thanks leonjs.  I haven't had a chance to verify this yet but I think you have pointed me in the right direction.  I had the policy applied to the inside interface policing inbound traffic and I think it needs to be on the outside interface policing outbound traffic.  Although the article below doesn't specify that the policy has to be specified on the outside interface, all of their examples are on the outside.  The article does mention that the policy has to be applied to outbound traffic though.  I will let you know if it works when we do our next fanout.

With regards to your question, I have limited outbound smtp traffic to 200k.  When the fanouts were saturating the bandwidth the PIX showed 600k of outbound traffic.

Expert Comment

ID: 22760419
Next time a fan out occurs I strongly suggest you use this show command " show service-policy police"  It will show you packets being dropped as a result of your configurations.  

Very useful in verifying whether you've done the right thing.  I am pretty sure that command works on the PIX (I hate the finesse os) but i know it works on the asa.  good luck


Author Closing Comment

ID: 31506875
Doing another fanout right now and it appears moving the policy to the outside interface and outgoing traffic solved the problem.  Thanks for your help leonjs.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question