Access is slow between networks; fine on same subnet

[stevenriz]

Our PIX515 runing 6.1(1) is configured for 4 networks.
e0. outside (public)
e1. inside (private 192.xxx.2.xxx)
e2. vpndmz (public)
e3. corp (private 192.xxx.1.xxx)

- MTU is 1500 for all interfaces

I am concerned here with access between interface e1 and interface e3. We notice some serious lag going from the ".2" network to the ".1" network and vice versa. We specifically notice this when FTPing large files back and forth as we FTP files as big as 4gb nightly and these FTP processes have been timing out. Access between servers that are both on the ".2" network OR servers both on the ".1" network are fast. It is only access between the 2 networks via the PIX515 that is very slow.

The interfaces are hard coded to 100basetx. What could cause this and what would you propose we look at and/or change?

 

[karmic]

ok, i'm going to assume that when you added your internal addresses for the VPN tunnel, you probably used a subnet mask of 255.255.255.0?

Try using 255.255.255.255 on both ends to see if traffic calms down a little... I may be wrong but using the subnet mask of 255.255.255.0 creates alot more traffic over the vpn. Just don't know why for the life of me...

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[stevenriz]

I don't know that I can change that on both ends. The other end is owned by my ISP so this might take some work. Nevertheless why or how would the VPN network effect the others? VPN access is satisfactory.

ip address outside pub.lic.ip.add 255.255.255.240
ip address inside 192.168.2.10 255.255.255.0
ip address vpndmz 172.16.2.1 255.255.255.0
ip address corp 192.168.1.10 255.255.255.0

 

[karmic]

ok, i'm assuming you're running a pix to pix (or pix to something) ipsec firewall...

try setting like this
192.168.2.10 255.255.255.255
192.168.1.10 255.255.255.255
just for the ipsec on the routers.


~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[chicocouk]

VPNs have nothing to do with the problem whatsoever. The problem is routing traffic between two interfaces. Nothing to do with vpns at all.

There are known ftp issues with PIX. Have a look at these links, see if they help

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[WebSpyExpert]

Have you thought about a Network Optimization system? You can monitor exactly which traffic types are slowing you down and causing your dropoffs. It wil also allow you to double check SLA. If you want more information contact the fine people at

http://www.webspy.com

and they will get you more information.

 

[chicocouk]

Except a "network optimisation system" (log analyser?) will be absolutely no use whatsoever if the problem is down to the known issues with ftp through a pix, so why are you spamming this thread?

Have you thought about a laptop? They're nice, pc world have lots. Won't help you sort out your problem, but get on down there and spend spend spend.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP