[fw-wiz] Slow FTP downloads from behind PIX - Firewalls

This is a discussion on [fw-wiz] Slow FTP downloads from behind PIX - Firewalls ; I'm having some issues with FTP traffic through our Cisco PIX 515E. Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [fw-wiz] Slow FTP downloads from behind PIX

  1. [fw-wiz] Slow FTP downloads from behind PIX

    I'm having some issues with FTP traffic through our Cisco PIX 515E.
    Our corporate FTP server is located outside the firewall, and we
    recently upgraded the FTP server software. This resulted a noticeable
    increase in the speed uploading files to the server (5 MB/s+). However
    when attempts were made to download files from the server speeds
    average about 300 KB/s, rapidly fluctuating between 30KB/s and 600
    KB/s. Downloading the same file to a server outside our firewall
    resulted in speeds of about 6MB/s.

    Looking at the firewall: the default inspection scheme is enabled, and
    the FTP inspection is turned on. The FTP server requires active
    transfer mode, and everything works, albeit slowly. After turning off
    FTP inspection connections to the FTP server did not work until
    enabling passive mode, but that didn't change the speeds at all.

    I should probably also mention that the PIX is not doing any NAT. All
    the workstations and servers here have Internet routable IP addresses
    (206.75.x.x).

    Any suggestions?

    Thanks,
    Darren
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] Slow FTP downloads from behind PIX

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Check the duplex settings on all the related links.

    - --Trey

    Darren Maskowitz wrote:
    | I'm having some issues with FTP traffic through our Cisco PIX 515E.
    | Our corporate FTP server is located outside the firewall, and we
    | recently upgraded the FTP server software. This resulted a noticeable
    | increase in the speed uploading files to the server (5 MB/s+). However
    | when attempts were made to download files from the server speeds
    | average about 300 KB/s, rapidly fluctuating between 30KB/s and 600
    | KB/s. Downloading the same file to a server outside our firewall
    | resulted in speeds of about 6MB/s.
    |
    | Looking at the firewall: the default inspection scheme is enabled, and
    | the FTP inspection is turned on. The FTP server requires active
    | transfer mode, and everything works, albeit slowly. After turning off
    | FTP inspection connections to the FTP server did not work until
    | enabling passive mode, but that didn't change the speeds at all.
    |
    | I should probably also mention that the PIX is not doing any NAT. All
    | the workstations and servers here have Internet routable IP addresses
    | (206.75.x.x).
    |
    | Any suggestions?
    |
    | Thanks,
    | Darren
    | _______________________________________________
    | firewall-wizards mailing list
    | firewall-wizards@listserv.icsalabs.com
    | https://listserv.icsalabs.com/mailma...rewall-wizards

    - --
    ++----------------------------------------------------------------------------++
    Kingfisher Operations
    Trey Darley - Principal
    toll-free: 866.703.0660
    landline: +1 / 404.455.1516
    mobile: +352/621.384.160
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIUNppQXaSM49tivARAmlLAJ9VOHf7e5CEyB1GkA3npY MT7f2KGgCdFheC
    W/ujJXlXSUSXnn1TVmLjqRo=
    =TkE3
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] Slow FTP downloads from behind PIX

    Many years ago we had a similar problem. Traffic moving one way(I forget if it was uploads or downloads) After weeks of troubleshooting, I inspected and replaced the network cable. Turns out 1 wire wasn't making complete contact and the slow speed was actually the result of retransmitting bad packets.

    Recently we had a similar problem with traffic in both directions. Completely random. We replaced the firewall, server, etc. We were running a wireless T1. The internet provider insisted that the connection tested fine. Throughout the spring the problem became worse until one (windy) day last week when our connection became unusable. The internet provider came out and discovered trees had grown about 1/2 mile away in the path of the wireless tower. Over the spring the leaves grew in and on windy days caused havok on the tcp transmissions.

    Both incidents taught me never to rule out the lower layers when it comes to networking.

    We used packet captures in both cases during the troubleshooting process.

    Hope this helps.

    Bill

    -----Original Message-----
    From: firewall-wizards-bounces@listserv.cybertrust.com [mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Darren Maskowitz
    Sent: Wednesday, June 11, 2008 2:08 PM
    To: Firewall Wizards Security Mailing List
    Subject: [fw-wiz] Slow FTP downloads from behind PIX

    I'm having some issues with FTP traffic through our Cisco PIX 515E.
    Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to the server (5 MB/s+). However when attempts were made to download files from the server speeds average about 300 KB/s, rapidly fluctuating between 30KB/s and 600 KB/s. Downloading the same file to a server outside our firewall resulted in speeds of about 6MB/s.

    Looking at the firewall: the default inspection scheme is enabled, and the FTP inspection is turned on. The FTP server requires active transfer mode, and everything works, albeit slowly. After turning off FTP inspection connections to the FTP server did not work until enabling passive mode, but that didn't change the speeds at all.

    I should probably also mention that the PIX is not doing any NAT. All the workstations and servers here have Internet routable IP addresses (206.75.x.x).

    Any suggestions?

    Thanks,
    Darren
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards

    --
    This message has been scanned for viruses and dangerous content by OpenProtect(http://www.openprotect.com), and is believed to be clean.


    --
    This message has been scanned for viruses and
    dangerous content by OpenProtect(http://www.openprotect.com), and is
    believed to be clean.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  4. Re: [fw-wiz] Slow FTP downloads from behind PIX

    On Thu, 12 Jun 2008, Trey Darley wrote:

    > Check the duplex settings on all the related links.


    when doing this watch out for cases where one side is set to auto and the
    other is hard-set.

    David Lang

    > - --Trey
    >
    > Darren Maskowitz wrote:
    > | I'm having some issues with FTP traffic through our Cisco PIX 515E.
    > | Our corporate FTP server is located outside the firewall, and we
    > | recently upgraded the FTP server software. This resulted a noticeable
    > | increase in the speed uploading files to the server (5 MB/s+). However
    > | when attempts were made to download files from the server speeds
    > | average about 300 KB/s, rapidly fluctuating between 30KB/s and 600
    > | KB/s. Downloading the same file to a server outside our firewall
    > | resulted in speeds of about 6MB/s.
    > |
    > | Looking at the firewall: the default inspection scheme is enabled, and
    > | the FTP inspection is turned on. The FTP server requires active
    > | transfer mode, and everything works, albeit slowly. After turning off
    > | FTP inspection connections to the FTP server did not work until
    > | enabling passive mode, but that didn't change the speeds at all.
    > |
    > | I should probably also mention that the PIX is not doing any NAT. All
    > | the workstations and servers here have Internet routable IP addresses
    > | (206.75.x.x).
    > |
    > | Any suggestions?
    > |
    > | Thanks,
    > | Darren
    > | _______________________________________________
    > | firewall-wizards mailing list
    > | firewall-wizards@listserv.icsalabs.com
    > | https://listserv.icsalabs.com/mailma...rewall-wizards
    >
    > - --
    > ++----------------------------------------------------------------------------++
    > Kingfisher Operations
    > Trey Darley - Principal
    > toll-free: 866.703.0660
    > landline: +1 / 404.455.1516
    > mobile: +352/621.384.160
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.6 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iD8DBQFIUNppQXaSM49tivARAmlLAJ9VOHf7e5CEyB1GkA3npY MT7f2KGgCdFheC
    > W/ujJXlXSUSXnn1TVmLjqRo=
    > =TkE3
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread