our PAN 4020 device is deployed to enforce visibility and control for all user-generated traffic (from LAN to Internet and from Internet to DMZ).
This is the scenario:
- 2 fw, performing layer3 and NAT
- 2 IPS, performing IPS and Bandwidth Management functions
- 2 4020 in vwire using SFP, after the IPS and before the Internet router. PAN configured with 2 VSYS and 2 TAP interface capturing other kinds of traffic)
(LAN)(DMZ) -> FW -> IPS -> 4020 -> Internet (200Mbps)
maximum traffic rate registered on PAN device is 100Mbps with 50k maximum connections.
This is the issues:
- slow download rates accessing services in the DMZ from Internet
- slow upload rates accessing Internet from LAN (drop down to 50Kbps)
This issues has been reproduced and verified many times and seems to involve HTTP traffic only. This strange behaviour happen with PAN inserted on the Internet traffic only. Removing PAN box recovers the expected traffic rates.
Did anyone have the same issue?
Some interesting tips or place to investigate?
Thanks for your support
The first thing I would check is that the Interface speeds match to the device they are plugged into. If the PAN plugs into a switch, and the interfaces on teh switch are froce to 100Mb/Full. Make sure teh PAN is configured the same way. If the switch interfaces are set Auto/Auto, configure the PAN the same way.
Some relevant commands to run via CLI:
show system statistics - shows total bandwidth passing through the PAN
show running resource-monitor - shows data plane CPU usgae at different time intervals
show system resources - shows management plane CPU usage
Do you have QOS enabled?
What application is the PAN detecting this traffic as?
On a related note, only apply url filter to outbound internet traffic.
Do not apply URL filtering on your own internal servers.
If you continue to have problems you should contact support.
I have the same problem with Vwire on PAN 4050, did anybody came to know about the cause/solution for this behaviour ?
with the PAN inline, check the drop counter "tcp_out_of_win", showed with the command show counter global
The drop counter grows up if there's the local QoS enabled or a traffic shapere between the PAN device and other segments.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!