01-25-2023 07:29 AM - edited 01-25-2023 07:51 AM
I recently installed a new pair of PA3220s at one of our international remote offices in India to serve as basic Internet Edge Firewalls that are linked to a 300mbps internet circuit. The PA's have 2x Portchannel links each with sub-interfaces that terminate down to 2x C9300 Layer 2 Core switches ( Core A and Core B), and from there, we have about three access switches that each has a leg to Core A and Core B (with Core B leg being blocked due to STP ofc). The issue here is that 4 weeks into the network being deployed, users are just now mentioning that video-streaming, audio-calls, web-browsing, etc. are working just fine with no issues. However,,, when they try to download any file i.e Ubunutu .iso, Wireshark, O365, etc it could take them 3-4 hours to complete via wired or wireless and have to instead go home to complete the install. The mention that it is downloading files is where they have slowness but everything else is completely fine..... the also provided my local speed test that show them getting 230Mbps Down and 250 UP. Originally I thought that maybe my "File-Blocking Profile" could be interfering with this file download issue and had removed it from my "Allow-to-Internet" Security Rule,, but it does not seem that did anything as file downloads are still slow... I also created a Host/32 specific Internet-Allow-Out Security Rule to allow a specific host to go out to the internet with no security profiles attached to the rule and moved that rule all the way to the top (to rule out issues with my other security rules/security profiles), but still, the file downloads were very slow... I am a bit confused about what exactly could make file downloads so slow but allow everything else to run smoothly. My next step would be to test downloads when directly behind the provider's circuit to see if the issue still follows, but I find it hard to believe that the provider's end could cause this very specific issue with just "file downloads".. Any advice?
Regarding Configurations and Specifications on Firewall:
- We are not doing SSL Decryption
- Data Plane if : 0-9% (varies throughout the day)
- We are not doing QoS
- The Office is barely utilizing the network at the moment as everyone is still working from home. Only a few users work inside the office.
EDIT: Just had the user test directly on the provider Internet Circuit and tests were very fast, so there is definitely something going on the Firewall.
02-04-2023 06:37 PM
It seems that I just made a stupid error; my SYD-Flood activate rate was set to 0.... After setting it to the correct rate number, the issue was resolved. Thanks, everyone for the support.
01-25-2023 07:22 PM
Try to this Link.
When I enabled this command solv my issues with Office 365 install process.
set deviceconfig setting ctd skip-block-http-range yes
01-25-2023 08:09 PM
Have you verified speed/duplex settings across all interfaces? It's possible you have something set incorrectly (or negotiating incorrectly) and that MTU is correct? These would become more readily apparent with larger data transfers and would cause slow file downloads with everyday traffic not being largely affected.
01-26-2023 12:19 AM
I am facing the exact same issue with a HA(Active-Standby) 3220 running version 9.1.10. We have extremely good streaming speeds but our download speed is badly affected. Our internet speed is 500Mbps.
I have checked the speed and MTU as you mentioned and it is as mentioned below for all interfaces. Further, on one 10G interface it shows the same while showing the correct speed(10000).
Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/up
Interface MTU 1500
Further, I have run multiple iterations of testing and can confirm that we do not use SSL-Decrytion, QOS or Zone-Based protection.
Although, based on discusions with fellow engineers, we are inclining on the option of enabling QOS as it might be that which is causing uneven allocation of bandwidth. Do you agree with this point?
I would really appreciate if you can provide some insight into this issue as it has led to dissatisfaction from the customers end.
Aamir A Jan
02-01-2023 02:46 AM
Is it possible for you to have a DOS protection profile or a zone protection profile that is dropping some packets causing TCP retransmits and slowing the traffic or also check the CPU and memory (data plane/control plane memory) on the firewall during slowness as maybe you have a cpu or memory leakage bug?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!