Link to home
Create AccountLog in
Avatar of yaminz66
yaminz66Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Slow Broadband Speed behind the Firewall

Hi

I have just upgrade to Cat6 cable which permits a 1GIG transmission of data. Behind the ADSL router I get 12MB download, but soon as put my CISCO 501 PIX firewall, I only get half that. It has the old 10bt Ethernet connection on both the interface (inside and outside).

 I suspect this is the bottle neck and hence thinking to upgrade to the latest ASA Firewall which has 1Gb connection on the interface.

Am I right about the slow broadband speed issue behind the firewall?

regards
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

You, I agree with needing to upgrade and get past the 10 bt lan connection on the Cisco.
I think the firewall, the way you describe it, is probably the issue. Since you put in new cable and you get good speeds at the modem, I would (if it were me) substitute a newer model firewall. It is likely the issue and modernizing a firewall does not go amiss. .... Thinkpads_User
The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.

Source http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

The 501 isn't the issue; it can do 60 Mbps and has 10/100 Mb connections.  Could be cabling or a duplexing issue.
Of course if you are actually getting 12 MB not 12 Mb, that's a different story.

Internet speeds are usually Mb (Megabit) not MB (megabyte).
From what you say it would certainly indicate that the firewall is the bottle neck.  The spec sheet on Cisco's web site says that the firewall should cope with 60Mb of clear text throughput ... however it also says that the ports are auto-sensing 10/100.  You might want to try forcing the ports to be 100Mb/sec to see if it is an auto sensing issue (or I could be looking at a newer version of the 501 than the one you have).  VPN encrypted traffic will be much slower as this box is relatively light on processing power.

Rule order also has an impact, try moving rules that will be hit most frequently to the start of the list and those that are triggered rarely to the end.

Hope this helps

Priz
Avatar of ArneLovius
Either the PIX or the Cable Modem has failed negotiation.

If you console onto the PIX and do a "show interface" it will show what speed it has negotiated to.
Avatar of yaminz66

ASKER

Hi

The PIX 501 was the bottleneck -

The first pix 501, I could not set the outside interface to more than 10baset.

However, the second PIX had I am able to set that to 100baset and 100full. Now I am getting 12MB speed.

The only difference between the two pixes was the OS version. The second one had a later version and that I think was the problem.

Regards
Avatar of skullnobrains
skullnobrains

i'd go either for a failed negociation probably ending in the link being half-duplex somewhere or possibly even half duplex on one side and full duplex on the other

changes in MTU may as well cause the same kind of problem by forcing the router to do packet recombination all the time. this should be easy to tell using a simple ping command with varying data length between 1400 and 1500

either of those should become pretty obvious running a network sniffer and looking for packet loss and/or tcp windows being renegociated all the time

i do not know much about the maximum performances of cisco boxes, but for the record, a pentium3 wich 256Mo of RAM running a decent firewall is able to use 2 100Mb network cards at full speed and 100000 simultaneous connections with neglectible performance impact and the processor would not reach 5% usage
Glad I was able to help.  At least you didn't need to invest in a new firewall!
Having spent a small amount of time checking, it sounds more like a faulty port or a configuration issue than a software issue. I would suggest doing a factory reset on the "faulty" PIX and see if it then negotiates at 100mb

To do this, in enable mode do

configure factory-default

Open in new window

@yaminz66
sorry about my previous useless comment : i probably was typing while you posted

can you please give us some feedback concerning the hardware on the other side ?
espetially if it still does not negociate properly after you rest the cisco.
some vendors have known incompatibilities, and i'd be glad to update my list.
I've requested that this question be closed as follows:

Accepted answer: 0 points for yaminz66's comment #38019223

for the following reason:

I managed to solve this by using a PIX with a later version of the OS which allows 100MB connection.
Several experts contributed to your "solution".  The original question was answered by me.
bump,
i recommend accepting @RPPreacher's original comment for correctly identifying the problem, and possibly arnelovius's comments for providing means to confirm the origin of the problem.

the solution that consists in exchanging the hardware for the same hardware without the original misconfiguration, and a possibly unrelated newer OS version is both unrelated to the problem and definitely suboptimal to say the least.
All documentation that I have found about the PIX 501 states that al of the ports are 10/100.
//All documentation that I have found about the PIX 501 states that al of the ports are 10/100.//

The PIX I used had the older OS and it would not take the command -

"Interface Ethernet0 100baset"

It came back with "only 10baset is allowed"

When I used the second PIX - it allowed it.

I am only relating what happened.

Regards
As can be seen from here and here the PIX 501 is 10/100 on all ports.
OK - but then why the other PIX did not permit 100baset command?
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
//I have now found reference to an early version of the PIX 501 where the HARDWARE on the wan interface was only a 10baseT port.//

Yes this is what I found. Hence I think it should be closed now. Thanks ArneLovious
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
My point is that you discovered this after I had posted the command that would have made this obvious to to you if you ran the command and you then claimed incorrectly that it was a software issue that it was not.

At the time that you first tried to close the question, your answer was incorrect.
Several experts contributed to your identifying this solution.  Some reason not to thank them by awarding points?
no objection

thanks for the input

for those interested
http://www.cisco.com/en/US/docs/security/pix/pix62/quick/guide/501quick.pdf
is the doc for 2.1 (which is 10baseT) and can be viewed without registering.

recent versions are described as such
Outside: Integrated 10/100 Fast Ethernet port, auto-negotiate (half/full duplex), RJ-45
Inside: Integrated auto-sensing, auto-MDIX 4-port 10/100 Fast Ethernet switch, RJ-45

i couldn't track which is the first non-10baseT version
I had identified that bottleneck was Ehternet speed of the PIX device. But was unsure if this was a limitation of hardware or software, I suspected the latter as the two pix were identical. However, the other contributor found documents proving that the earlier version of PIX had that limitation. This is also unusal in that the older version of the PIX was bought later.