Download issue

Hello,
I've been searching online to find the answer to my issue and I think I know what it is but just want to verify with experts out there who are familiar with Cisco firewalls.

I have a Pix515e firewall for a company with about 70 users. Yes, I know it's old and EOL but trying to come up with a budget to replace the firewall, routers, along with other needs gets difficult. Anyways, back to my setup.

Pix515e with redundancy
Cisco 2811 router
100Mbps up/down internet

So my issue is when I download large files from major vendors like Apple, Adobe,... or some websites, the download would start out fast but would slow down to a crawl during the download. If I pause and then restart, it would go back up to the fast speed but then slow down again and the cycle continues until it finishes downloading. Good speed is between 4Mbps-10Mbps download. This is on multiple computers, Mac/Windows, multiple browsers. I have tried downloading on a different network and it downloads fine all the way through. Then I downloaded on my network but outside the firewall and it downloaded fine all the way through. The obvious answer is my firewall is the cause but is there another cause other than the firewall or is there a fix that I can try other than buying a new ASA firewall.

Any help is greatly appreciated!
download-issue.jpg
thawebAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I had to replace my own Cisco router to get faster throughput to match my ISP. The old router would sometimes do what yours is doing. My new Cisco RV325 gives 900 Mbits/sec throughput and never slows down. I think you do need to replace the Cisco router.
Nelson ObiCommented:
Have you tried looking into the MTU size you are using on the firewall versus what your ISP is using? This usually causes this kind of problem. The way to find out is look into the MTU size used on the working devices and check what you are using on the firewall.
thawebAuthor Commented:
Thanks for the quick response John but wouldn't my current router be in play even if I'm outside the firewall?
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

JohnBusiness Consultant (Owner)Commented:
If you are going through the router at all, then yes, it will be a factor. If you remove the router and go directly to your ISP do you have the same issue?  If so, the ISP could be at fault.
thawebAuthor Commented:
Nelson, I don't know how to look into the MTU size on my firewall or my ISP. I have a vendor that helped me with this but he's not been answering my emails.

John, I believe I'm going through the router even on the outside of the firewall since I'm use my public IP and not my ISP's IP so the router is involved. BTW, it works just fine outside the firewall as I mentioned.
JohnBusiness Consultant (Owner)Commented:
MTU size affects VPN but should not bother NON-VPN traffic. MTU is part of the WAN setup.

I assume your router and firewall are combined. If not, what is the firewall?  Because it could have the same issue.
thawebAuthor Commented:
Firewall Pix515e
Router Cisco 2811
JohnBusiness Consultant (Owner)Commented:
Thanks. Modern equipment usually combines these functions. So then your firewall is probably the problem and then same limiting throughput issue inside.

You can back up the configuration and do a hard reset of the firewall to see if that helps, but modern network gear usually solves this issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thawebAuthor Commented:
Thanks John. I did discussed this with my vendor a couple months back and he suggested I get the ASA5512-K9 with the Sec-PL for redundancy. Just waiting for the budget to be approved. Would replacing my 2811 with the RV325 a big improvement or is it a low end cisco router? We have around 70+ people in our office.
JohnBusiness Consultant (Owner)Commented:
The Cisco RV325 is an entry level commercial router that I use in my home office.

You might look at a higher end commercial router for 70 people. I think what your vendor suggested would do the trick. The RV325 is around $300 and it does a great job for me.
JohnBusiness Consultant (Owner)Commented:
@thaweb  - Thanks and I was happy to help. Good luck with newer networking gear.
thawebAuthor Commented:
One more question John. Can the ASA 5512 be used as both router and firewall at the same time? If not, I have a few ASA 5505 not being used, can I use the 5505 as a router instead of the 2811?
Thanks!
JohnBusiness Consultant (Owner)Commented:
According to the overview below it can do both. I have not used it myself, but it appears that it can.

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html
thawebAuthor Commented:
Thanks again John!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.