Slow Firewall Performance

LakeyTW · #11

jshawut wrote:Interesting update. Our Stake currently has 5 buildings using the same IP Addressing internally. I can't even begin to imagine what issues that has been causing.

Assuming they are using Network Address Translation and each is behind its own firewall and has a unique external IP address, it wont cause any problems at all.

russellhltn · #12

From what I've seen, each location has it's own segment in the 10.x.x.x range. The situation must have been confusing the heck out of the VPN.

JamesAnderson · #13

I have seen the same problem in FHC settings.

Sundays 4-6pm on the Wasatch Front sees a lot of sluggishness due probably to the amount of traffic into the Church network due to MLS send/receives. There is probably a similar hit earlier in the day as computers are turned on and Sophos updates, and due to send/receives to see if memberships came in, etc. These slowdowns due to network congestion appear to affect whoever is on the network, whether it be an FHC or a clerk computer, or perhaps some other computer elsewhere in the Church network.

I've heard of something out there called 'WAN optimization'. Could it be that something like that may be becoming a need to do given all the traffic that is now generated through the Church network now?

johnshaw · #14

WAN Optimization improves performance a great deal when you're dealing with ugly protocols like cifs, etc... I'm not sure what the traffic is that MLS does during a send/receive, so maybe WAN Optimization could help, however, my experience is that with broadband this is pretty quick. Other than that the largest amount of traffic is web based, which is a pretty thin protocol, I haven't had the experience to know whether it would help in these cases. What I do know is that WAN optimization would be extremely expensive (network appliances on both ends configured in-line) I'm not sure we truly drive enough traffic to justify it.

It would be interesting to know if the church has tried it out?

rknelson · #15

We have been looking at the broadband connection speed to see if we needed to upgrade it. I did a speed test in front of and behind the firewall using a laptop with no other computers on in the building. It was at 10 PM on the west coast. I saw similar results to what others have reported.
15 Megabits down / 5 Megabits up in front of the firewall
2.3 Megabits down / 5 Megabits up after the firewall.

We have a new ASA 5505 firewall.

Is this normal? It seems a real waste of bandwidth.

JamesAnderson · #16

At an FHC, I've seen similar things, we even switched from one ISP to another at mine.

The connection generally is more reliable now, usually for an advertised 1.5mbps connection we are seeing 1.0 to 1.3mbps down and about half that up.

Occasionally I've seen it from behind the firewall where it is faster to upload than download. One example is 0.60 down and 0.67 up. One night it was only 0.06 down and about 0.25 up, which meant the download speed was no better than dialup for a time that day.

Speed test used: speedtest.net, you can choose where you test from, ISPs host the service so you can test using several servers in your area, or even anywhere else for that matter.

All of this after swapping out an old Cisco PIX for a newer ASA 5505. No difference with either firewwall box.

harddrive · #17

JedWare wrote:I should clarify. The firewall I am talking about is the Cisco PIX hardware. This has nothing to do with Sophos software.

Connecting behind the Cisco you see 1/10 your bandwidth compared to connecting directly to ISP.

JedWare one thing you might want to have the global service desk do is to check the connection speed between the PIX firewall and the modem. I just looked up on Cisco.com about the PIX and here is what I read:

The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.

So if the church is using 3DES or triple DES then the best speed you will get is 3 megabits per second, but it should be able to handle your 21 megabit per second speed. So I would say something is up with the firewall.

Hope this helps.

JamesAnderson · #18

Might I also be seeing some of the same speed issues I'm reporting due to the encryption method being used through the ASA 5505?

russellhltn · #19

harddrive747 wrote:The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.

I tried to find the same information for the ASA 5505 that JamesAnderson is using, but didn't have much luck.

schester · #20

The ASA 5505 will do 150 Mbps or 100 Mbps on the VPN.

http://www.cisco.com/en/US/products/ps6 ... ~mid-range

These devices should not put any noticeable strain on the network at all. It is possible the VPN to SLC is slowing things down dramatically, but I am unaware if the VPN is there only for management or if all traffic is sent through the connection which seems a bit overkill.