PA-820 Terrible throughput

Reply
JCRUM12
L1 Bithead

PA-820 Terrible throughput

Hi All,

 

I have a PA-820 running 10.0.3. Lately my main connection was a DSL connection that limited me to 12/1 (on a perfect day). However I finally got on to the Starlink Beta, hung the dish and started getting items setup. When I pass any traffic through the PA, I am limited to <14Mbps down, <1 Mbps up. I have a very simplistic rule set, no decryption, no QoS, just straight forward routing and policies.  If I directly connect (my computer) to Starlink, I easily hit 150mbps. When I go through the PA, I get 1/10th or less of that. I've tried placing a router between the PA and Starlink. I've tried setting all port speeds and duplex (random issues people have alluded too with PA's in the past). I just cannot seem to find out why the PA is limiting me so severely. 

Has anyone else come across a PA that just didn't come close?
I just rebooted it and pulling the system statistics:

 

Device is up : 0 day 0 hour 32 mins 5 sec
Packet rate : 1878/s
Throughput : 14050 Kbps
Total active sessions : 189
Active TCP sessions : 139
Active UDP sessions : 35
Active ICMP sessions : 14

 

This is basically the cap and I cannot seem to go above it. 


Accepted Solutions
JCRUM12
L1 Bithead

I wanted to put a resolution in the event anyone else come across this strange behavior.
The issue I ended up having was a conflict between a router and the firewall. If I went through the router and by passed the PA, I had no traffic limitations. If I went through the PA directly and bypassed the router, I had no traffic limitations. However when going through the Router AND the PA, I had major traffic limitations. I could never go over 12mbps. 

I'll need to set the router up on a side port so I can do further testing to find out WHY, but so far taking it out of the path was the "fix".
I guess this one boils down to network gear compatibility. 

View solution in original post


All Replies
reaper
L7 Applicator

see if there's a lot of errors on your interface

> show interface ethernet1/x

 

doublecheck if you're not somehow applying QoS

> show running qos-policy 

 

see if there's any peculiar drop counters (there could be asymmetry or other weird behavior the firewall identifies as suspicious and discards)

> show counter global filter severity drop delta yes

 

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
JCRUM12
L1 Bithead

Hello Reaper and thanks for responding.

 

Interface doesn't show "a lot" of errors, or at least a level that would concern me out of the gate:
Before test (int1/3)

Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 311888391
bytes transmitted 52743804
packets received 281885
packets transmitted 197988
receive incoming errors 0
receive discarded 0
receive errors 289
packets dropped 0
--------------------------------------------------------------------------------

Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 311866513
bytes transmitted 52743804
packets received 281596
packets transmitted 197988
receive errors 0
packets dropped 1472

 

 

After test (speed test)(int1/3)

Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 337725866
bytes transmitted 56238577
packets received 303520
packets transmitted 212522
receive incoming errors 0
receive discarded 0
receive errors 306
packets dropped 0
--------------------------------------------------------------------------------

Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 337702968
bytes transmitted 56238577
packets received 303214
packets transmitted 212522
receive errors 0
packets dropped 1575

 

QoS policy comes up nil:

admin@PA-820> show running qos-policy

admin@PA-820>

 

Peculiar drop filters:

Global counters:
Elapsed time since last sampling: 178.547 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_rcv_dot1q_tag_err 54 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 54 0 drop flow parse Packets dropped: invalid interface
flow_policy_deny 71 0 drop flow session Session setup: denied by policy
flow_tcp_non_syn_drop 38 0 drop flow session Packets dropped: non-SYN TCP without session match
flow_fwd_l3_bcast_drop 25 0 drop flow forward Packets dropped: unhandled IP broadcast
flow_fwd_ip_df_drop 4 0 drop flow forward Packets dropped: exceeded MTU but DF bit present
flow_host_service_deny 4 0 drop flow mgmt Device management session denied
--------------------------------------------------------------------------------
Total counters shown: 7
--------------------------------------------------------------------------------

 

The values 'seem' low to me, but I've not looked into these metrics before on the PA.

I appreciate your assistance as well as this is very perplexing. Out of the dozens of PA's I've installed in the past, this is the first time I've ever run into something like this. 

 

J

 

JCRUM12
L1 Bithead

I wanted to put a resolution in the event anyone else come across this strange behavior.
The issue I ended up having was a conflict between a router and the firewall. If I went through the router and by passed the PA, I had no traffic limitations. If I went through the PA directly and bypassed the router, I had no traffic limitations. However when going through the Router AND the PA, I had major traffic limitations. I could never go over 12mbps. 

I'll need to set the router up on a side port so I can do further testing to find out WHY, but so far taking it out of the path was the "fix".
I guess this one boils down to network gear compatibility. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!