?
Solved

Cisco Pix 515 Slow Internet

Posted on 2009-02-12
10
Medium Priority
?
1,642 Views
Last Modified: 2012-06-27
I have a cisco pix 515 running a cavalier t1.  I am having an issue with download speeds being slow.  They are between 700kb/s and 1000kb/s down and usually about 1400kb/s up.

I am getting errors on the outside interface.  I have switched the crossover cable and nothing changed.

Here is the show int (I just reset the stats about 20 minutes ago)...the pix code is below.
Thanks for the help.

Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        MAC address 000f.34ac.f321, MTU 1500
        IP address 98.xxx.xxx.xxx subnet mask 255.255.255.248
        55109 packets input, 49653526 bytes, 0 no buffer
        Received 14 broadcasts, 10 runts, 0 giants
        28 input errors, 15 CRC, 13 frame, 0 overrun, 15 ignored, 0 abort
        0 L2 decode drops
        46413 packets output, 16137317 bytes, 0 underruns
        0 output errors, 1 collisions, 0 interface resets
        0 babbles, 0 late collisions, 8 deferred
        4 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/2)
        output queue (curr/max blocks): hardware (0/4) software (0/1)
  Traffic Statistics for "outside":
        55058 packets input, 48831840 bytes
        46401 packets output, 15204989 bytes
        2180 packets dropped
PIX515E# sh run
: Saved
:
PIX Version 7.1(1)
!
hostname PIX515E
domain-name marathonllc.com
enable password xxxx.xxx.xxx/ encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 98.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0
!
passwd RPN.WPaKy.QDNIg/ encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name marathonllc.com
access-list 105 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.25
5.0
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq smtp
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq imap4
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 5721
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 8081
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
pager lines 24
logging enable
logging timestamp
logging device-id hostname
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit host 98.xxx.xxx.xxx echo-reply outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.252 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.251 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.130 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username weinmatt password xxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 129.2.237.198 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
isakmp identity address
isakmp enable outside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 129.2.236.0 255.255.254.0 outside
ssh timeout 3
ssh version 1
console timeout 0
dhcpd address 10.0.10.100-10.0.10.200 inside
dhcpd dns 10.0.10.252 10.0.10.250
dhcpd wins 10.0.10.252
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain marathonllc.local
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:3ee2ff646d54f8cd51a9580f95117db9

Open in new window

0
Comment
Question by:negativelocity
  • 4
  • 3
  • 3
10 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 23624557
I'm not familiar with a cavalier T1; however these are usually (99.95%) of the time a speed/duplex mismatch.

Check the speed and duplex on the connected router(?).  It's probably a 10 full.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23624559
Try setting the Ethernet0 interface to auto/auto unless you know for sure that the outside device is hard set to 100/Full.

conf t
interface Ethernet0
 speed auto
 duplex auto
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 23624596
Highly disagree unless the outside device is auto/auto also.

Auto config connected to a static config is problematic.

See http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2007-04/msg00041.html or any of the other 277,000 results on google.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:negativelocity
ID: 23624642
I just changed the speed to auto/auto and did not see any improvement in download speed.

Thanks again for the help.

Cavalier has provided us with one of their Adit 600 boxes.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23624703
RPPreacher:

How do you know it is a static config?

negativelocity:

Check with Cavalier as to what they are configured for on their ethernet connection to your PIX (100/Full, 10/Full, 10/half, auto).  Clear the counters on the PIX and see if errors are still incrementing when set to auto/auto.  Also do a show interface again and see what your interface is operating at when set to auto/auto.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 23625012
I don't.  But I wouldn't presume that it was.  Thus my first comment "Check the speed and duplex on the connected router"

I was just offering a bit of caution against auto/auto without explicit knowledge.

Again...Check the speed and duplex on the connected router.
0
 
LVL 1

Author Comment

by:negativelocity
ID: 23675739
I have pretty much triedl all the speed combinations without any improvement over auto auto.

Any other suggestions?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23680688
Not that this may change anything but I would upgrade the PIX to 7.2(4).  It may not help with speed (or it might if you are running into a bug) but it at least gets you up to more recent code.  Are you still getting errors on the PIX interface?  If you are, something is wrong, you shouldn't be getting any errors if things are configured properly.  Have you contacted Cavalier about their router settings?
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 750 total points
ID: 23681110
The errors are the obvious issue.  You need to isolate the source of the errors.

Most of the time it's a speed/duplex issue (as stated previously).  If you have tried 10 full, 10 half, 100 full, 100 half and auto/auto and are still seeing errors with all of these, then the other .05% of the time it's a bad cable.

The remaining possible problems are: signal interference or bad interface on the PIX or the router.

I can't emphasize enough that trying "pretty much" all of the speed combinations is not the same as all.  There are only 5.  Try them all.  Clear the error interface counters.  Run for a bit.  Look for increasing error count.
0
 
LVL 1

Author Comment

by:negativelocity
ID: 24225475
Cavalier came and replaced their T1 router, which resolved the issue. Thanks for the input.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 8 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question