Slow File Downloads over a new PA3220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Slow File Downloads over a new PA3220

L1 Bithead

I recently installed a new pair of PA3220s at one of our international remote offices in India to serve as basic Internet Edge Firewalls that are linked to a 300mbps internet circuit. The PA's have 2x Portchannel links each with sub-interfaces that terminate down to 2x C9300 Layer 2 Core switches ( Core A and Core B), and from there, we have about three access switches that each has a leg to Core A and Core B (with Core B leg being blocked due to STP ofc). The issue here is that 4 weeks into the network being deployed, users are just now mentioning that video-streaming, audio-calls, web-browsing, etc. are working just fine with no issues. However,,, when they try to download any file i.e Ubunutu .iso, Wireshark, O365, etc it could take them 3-4 hours to complete via wired or wireless and have to instead go home to complete the install. The mention that it is downloading files is where they have slowness but everything else is completely fine..... the also provided my local speed test that show them getting 230Mbps Down and 250 UP. Originally I thought that maybe my "File-Blocking Profile" could be interfering with this file download issue and had removed it from my "Allow-to-Internet" Security Rule,, but it does not seem that did anything as file downloads are still slow... I also created a Host/32 specific Internet-Allow-Out Security Rule to allow a specific host to go out to the internet with no security profiles attached to the rule and moved that rule all the way to the top (to rule out issues with my other security rules/security profiles), but still, the file downloads were very slow... I am a bit confused about what exactly could make file downloads so slow but allow everything else to run smoothly. My next step would be to test downloads when directly behind the provider's circuit to see if the issue still follows, but I find it hard to believe that the provider's end could cause this very specific issue with just "file downloads".. Any advice?

Regarding Configurations and Specifications on Firewall:

- We are not doing SSL Decryption

- Data Plane if : 0-9% (varies throughout the day)

- We are not doing QoS

- The Office is barely utilizing the network at the moment as everyone is still working from home. Only a few users work inside the office.

 

EDIT: Just had the user test directly on the provider Internet Circuit and tests were very fast, so there is definitely something going on the Firewall.

1 accepted solution

Accepted Solutions

L1 Bithead

It seems that I just made a stupid error; my SYD-Flood activate rate was set to 0.... After setting it to the correct rate number, the issue was resolved. Thanks, everyone for the support.

View solution in original post

8 REPLIES 8

L4 Transporter

Hello @Carson1998 

 

Try to this Link.

 

When I enabled this command solv my issues with Office 365 install process.  

 

set deviceconfig setting ctd skip-block-http-range yes

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjPCAW#:~:text=http%2Dran...

 

Cheers

High Sticker

Cyber Elite
Cyber Elite

@Carson1998,

Have you verified speed/duplex settings across all interfaces? It's possible you have something set incorrectly (or negotiating incorrectly) and that MTU is correct? These would become more readily apparent with larger data transfers and would cause slow file downloads with everyday traffic not being largely affected. 

Hello,

I am facing the exact same issue with a HA(Active-Standby) 3220 running version 9.1.10. We have extremely good streaming speeds but our download speed is badly affected. Our internet speed is 500Mbps.

 

I have checked the speed and MTU as you mentioned and it is as mentioned below for all interfaces. Further, on one 10G interface it shows the same while showing the correct speed(10000).

 

Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/up

Interface MTU 1500

Further, I have run multiple iterations of testing and can confirm that we do not use SSL-Decrytion, QOS or Zone-Based protection.

 

Although, based on discusions with fellow engineers, we are inclining on the option of enabling QOS as it might be that which is causing uneven allocation of bandwidth. Do you agree with this point?

 

 

I would really appreciate if you can provide some insight into this issue as it has led to dissatisfaction from the customers end.

 

 

 

Thank you!

 

Aamir A Jan

 

L6 Presenter

Is it possible for you to have a DOS protection profile or a zone protection profile that is dropping some packets causing TCP retransmits and slowing the traffic or also check the CPU and memory (data plane/control plane memory) on the firewall during slowness as maybe you have a cpu or memory leakage bug?

L1 Bithead

It seems that I just made a stupid error; my SYD-Flood activate rate was set to 0.... After setting it to the correct rate number, the issue was resolved. Thanks, everyone for the support.

Hello Nikoolayy1,

 

Thanks for your reply.

 

Please be informed, we do not use Zone Protection Profile or DOS protection on the PA.

 

Further, the firewall has been stable during peak hours and outside it with the sessions and the CPU being within normal limits.

 

 

Regards

 

Aamir A Jan

Hello Folks,

 

Just wanted to update this post. The issue had nothing to do with the PA in our case.

 

It turned out to be the ISP's firewall's IPS engine that was causing the slow downloads.

 

Thank you for your inputs, they directed us in the right direction.

 

 

Aamir

But you were not using Zone Protection or DOS protection 🙂

  • 1 accepted solution
  • 5409 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!