Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX 515e firewall really slow....

Status
Not open for further replies.

wlandymore

Technical User
Dec 26, 2003
28
US
We used to have a Cisco PIX 506 and it went belly up. We just got a PIX 515e and we configured it the same way, but with less rules because some of the ones on the old PIX were not used any more. Even though it would seem that it has less to do, the internet access is really sluggish compared to what it used to be.

we have everything open for at the moment, does anyone have any idea what might be causing this?

Or, are there any tips that might improve the performance of the 515e?
 
depending on the size of your access lists, you can run them compiled. it worked on my routers and i would only think that it would work on the pix as well. i have a pix 515e as well but the acls are not long enough for it to make a difference.

i think the command is
access-list compiled

also might want to look at the interfaces, make sure they are running at 100 and full dupl. it is best to set them to auto. make sure the switch ports are also set to auto. and look for collisions and errors.

if you dont need it, turn logging off or down so that it is only logging errors/alerts

hope that helps

----------------------------
Josh
CCNA, MCSE 2003(in progress)
 
the access list on this thing is tiny so it wouldn't do any good to compile it.
Both interfaces are up, running at 100 and full duplex. I have tried it at 100 and auto and both yeild the same results.
I can try the switch ports but these worked before with the other PIX so I can't see that as being a problem now.

I just don't know why it would cripple everything so badly...
 
what % is the processor running at
sho proc

Have you looked to see if the latency varies when pinging the inside vs outside vs your ISP's router, etc?
 
Sorry about all the code. This is the first time I've actually used that command so I wasn't sure what was useful, etc.

-----------------------------------------------------
PC SP STATE Runtime SBASE Stack Process
Hsi 001ecf11 00950334 00565bd8 0 0094f3ac 3628/4096 arp_timer
Lsi 001f26c5 009f352c 00565bd8 0 009f25b4 3928/4096 FragDBGC
Lwe 00119aef 009ff6d4 00569340 0 009fe86c 3688/4096 dbgtrace
Lwe 003f27e5 00a01864 0055e510 8210 009ff91c 6752/8192 Logger
Hwe 003f6998 00a0495c 0055e7c0 0 00a029e4 8024/8192 tcp_fast
Hwe 003f6911 00a06a0c 0055e7c0 0 00a04a94 8024/8192 tcp_slow
Lsi 0030d391 00b3d18c 00565bd8 0 00b3c204 3916/4096 xlate clean
Lsi 0030d29f 00b3e22c 00565bd8 0 00b3d2b4 3548/4096 uxlate clean
Mwe 00304a63 00cd662c 00565bd8 0 00cd4694 7908/8192 tcp_intercept_timer
_process
Lsi 0044a055 00d82f04 00565bd8 0 00d81f7c 3900/4096 route_process
Hsi 002f45ac 00d83f94 00565bd8 10 00d8302c 2424/4096 PIX Garbage Collect
or
Hwe 0021a459 00d8e4c4 00565bd8 0 00d8a55c 16048/16384 isakmp_time_keepe
r
Lsi 002f214c 00da7ddc 00565bd8 0 00da6e54 3944/4096 perfmon
Mwe 00211229 00dd220c 00565bd8 0 00dd0294 7860/8192 IPsec timer handler

Hwe 003a8933 00de6c94 00588aa8 0 00de4d4c 7000/8192 qos_metric_daemon
Mwe 00266705 00e017cc 00565bd8 0 00dfd864 15592/16384 IP Background
Lwe 003056da 00eb411c 0057c180 0 00eb32a4 3704/4096 pix/trace
Lwe 00305912 00eb51cc 0057c8b0 0 00eb4354 3704/4096 pix/tconsole
H* 0011f247 0009ff2c 00565bc0 4070 00ebd6bc 13120/16384 ci/console
Csi 002fd61f 00ec26c4 00565bd8 0 00ec176c 3432/4096 update_cpu_usage
Hwe 002e8a81 00f7336c 00544f60 0 00f6f4e4 15884/16384 uauth_in
Hwe 003f53ed 00f7546c 008c7e78 0 00f73594 7896/8192 uauth_thread
Hwe 0040c7fa 00f765bc 0055eb10 0 00f75644 3960/4096 udp_timer
Hsi 001e4a0e 00f7827c 00565bd8 0 00f77304 3928/4096 557mcfix
Crd 001e49c3 00f7933c 00566050 193910090 00f783b4 3584/4096 557poll
Lsi 001e4a7d 00f7a3dc 00565bd8 0 00f79464 3728/4096 557timer
Cwe 001e6619 00f904b4 007b3460 63710 00f8e5bc 6220/8192 pix/intf0
Mwe 0040c56a 00f915c4 009119e8 0 00f9068c 3896/4096 riprx/0
Msi 003b1ee9 00f926d4 00565bd8 0 00f9175c 3888/4096 riptx/0
Cwe 001e6619 00f988dc 0073def0 16060 00f969e4 5952/8192 pix/intf1
Mwe 0040c56a 00f999ec 009119a0 0 00f98ab4 3896/4096 riprx/1
Msi 003b1ee9 00f9aafc 00565bd8 0 00f99b84 3888/4096 riptx/1
Cwe 001ef355 00fa0d74 009149d0 0 00f9ee0c 8040/8192 pix/intf2
Mwe 0040c56a 00fa1e14 00911958 0 00fa0edc 3896/4096 riprx/2
Msi 003b1ee9 00fa2f24 00565bd8 0 00fa1fac 3888/4096 riptx/2
Hwe 003f5681 010137c4 0089e600 0 0101311c 1308/2048 listen/http1
Mwe 0037eb66 01015a4c 00565bd8 0 01013ad4 7960/8192 Crypto CA
----------------------------------------------------
 
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
 
do a 'show interface' and see if you're counting input errors, crc, etc...


BuckWeet
 
Yes, there are input errors and CRC on the outside interface.

-------------------
2655 input errors, 1234 CRC, 1260 frame, 0 overrun, 1234 ignored, 0 abor
t
1039328 packets output, 204789612 bytes, 0 underruns
0 output errors, 2957 collisions, 0 interface resets
0 babbles, 0 late collisions, 3994 deferred
4 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/119)
output queue (curr/max blocks): hardware (0/7) software (0/1)
--------------------
Is there any way to stop this?
 
collisions are normal if the interface is in half duplex mode. So long as they stay < 2% or so. What is the switch configured for. Can you look at the interface on it and see if that is taking errors? If you lock both the pix and switch at full duplex the errors should cease.

 
The switch we have doesn't seem to have a setting on the front (or anywhere else) that will allow me to switch to half-duplex, so I would assume that it opperates in full-duplex all the time.
Would this cause a problem if the PIX is operating in half-duplex?
Also, if I wanted to switch the PIX to full-duplex, where can I configure that? On the interface I assume...
 
look at your config, first few lines go something like this

interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 auto
interface ethernet3 100full

anything that says auto change to 10full or 100full, whatever is appropriate for your switch. Expect a second or two of outage. If you set it wrong you might lose the entire connection. So be careful if you set the inside interface while telnetted in through it.
 
still no improvement.
I tried them all on 10, 100 and auto. I also tried the outside interface at 10 (because it goes into a 10 line, cable modem) and then 100 on the inside. Still no joy.

I appreciate all of the help though...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top