Web Hosting Talk






PDA

View Full Version : Servers slower since we installed a Cisco pix firewall

Northtrex
10-29-2004, 08:15 PM
Hello,

We recently installed a new Cisco pix firewall on our servers located at ThePlanet. Since then websites on our servers are slower. You can visit our website and you will understand what I mean. Our server admin, 2 technicians and ThePlanet technicians work on the problem but speed is still slow. We need your suggestions.

Thanks!
Changeling
10-29-2004, 09:16 PM
Going to take a shot in the dark here since it could be any number of things, but what OS do your servers run?

Might as well get the ball rolling and the comments coming in. :)

Brian
Northtrex
10-30-2004, 02:33 AM
Redhat enterprise

Thanks.
Babushka99
10-30-2004, 06:43 PM
If you're enabled detailed logging on - that can be one culprit, for deep packet analysis (I am not 100% sure of Cisco has this feature) that will add easily 50-80 ms latency into your network.

If you are rate limiting your incoming connections - i.e. say only 400Kbps maximum traffic per IP, then that could be the cause.

The best way is to disable the firewall, and run some loading time tests.

Enable the firewall and do the same.

If there is a visible disparity between the two, take the firewall in default mode, turn all the advance features off, and do the load tests again.

Turn features on one by one and see which specific security setting is causing latency whilst loading.

A real-wierd problem could be - if you are in a reverse proxy mode - that usually adds a lot of delay.

If you cannot find anything wrong, do two more things...

1. Ask for another firewall and see if the results are the same.
2. Try downgrading the OS on the firewall one notch to see if that helps.

These are needless to say - random thoughts, but give them a try nonetheless if you can.

Babs.
Northtrex
10-30-2004, 10:09 PM
Thank you Babushka99,

ThePlanet just gave us a call and they tell us a NAT firewall is not suppose to slow down a server at all.

Thanks again!
datums
10-31-2004, 04:12 AM
So is the problem fixed?

If without the FW the server loads faster, I would get the NetEngs to investigate the issue. Seem the images take some time to load.
dkitchen
10-31-2004, 05:49 AM
Hi,

I wouldn't use NAT at all in a web environment, it's generally used for sharing internet between home users with private IP's and when used in a hosting environment is very messy. It doesn't slow outgoing traffic, but is slow with incoming connections.

Sounds to me most likely that rate-limiting is enabled.

If that doesn't solve it try upgrading the IOS from the Cisco website.

Dan