PIX Firewall Latency issue

[Jake99]

Hope you guys can help!
The issue we are having is a latency issue with HTTP traffic from an IIS system in our DMZ to the LAN. Let me give you some background; we have two PIX 525 firewalls with six Ethernet ports on each, they are configured as:



Outside

Inside

DMZ1

DMZ2

DMZ3

Failover



These firewalls are configured active/hot standby. It can take up to several minutes to download a single web page from the DMZ to the LAN. What is extremely odd is that we do not have an issue when LAN systems retrieve data from the Outside port. It just happens when retrieving data from a DMZ port. Another item you should be aware of is that when data are retrieved from the IIS server using a non-standard port (81) it works fine. My next step is to take out the HTTP fixup in the PIX configuration to see if it has anything to do with this issue. Any thoughts about this problem?

Thanks
Jake99

 

[yizhar]

HI.

> My next step is to take out the HTTP fixup in the PIX configuration to see
I would have checked this also.
What were the results after testing?

These issues could also be related to Etherent duplex+speed settings. Try to use manual settings in the pix+switch+host.
Try to use an old unmanaged 10baseT hub instead of the switch of DMZ and see what happens.

Do you see any related info in either the pix and/or IIS server logs?

Is there any proxy server in the way?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar