06-23-2011 02:37 AM
Hello all.
I had a chance to demo for prospective customer and PA was installed at customer’s real networks with V-wire mode.
After installed I tried to speed test using speed test sites.
Upload was ok, but download speed was degradation. (I tested at firmware 3.1.9 and 4.0.1, but both results were same.)
All of VWire interfaces speed/duplex were in Auto-negotiation, and interfaces were established with 1000M/full duplex.
Please let me know that resolve way, if someone who has similar experience.
Eugene.
06-30-2011 01:55 AM
I tested at PA 3.1.9, 4.0.1 and 4.0.3 with Anti-virus and anti-spyware profiles, but results were same.
if put into PAN in customer's networks, speed was degradation at PAN3.1.9, 4.0.1 and 4.0.3.
i think it is not a problem of PAN-OS version.
Thanks,
06-30-2011 05:59 PM
Eugene,
Have you checked the switches for speed and duplex mismatch errors?
What speeds does the report give if done in front of the Palo Alto?
Thanks
James
07-05-2011 10:08 PM
Hello James,
A 'show interface all' from CLI will show you the current, negotiated speed/duplex settings on the PAN. Could we also verify that all appears well on the switch uplinks as well (speed/duplex, errors, resets, etc...). Both the FW & the switch will either need to be configured as Auto/Auto or hardcoded as well, otherwise potential duplex mis-matches could occur. (Both ends of the Vwire should be negotiating at the same speed)
Have you attempted a baseline speed test for comparison prior to implementing any type of security profiles?
Running the following command from CLI will also give you an idea of CPU load, etc... associated with the Dataplane during various intervals: show running resource-monitor
Assuming heavy load as well as potentially high dataplane resource utilization, If possible (preferably during a maintenance window & confirming that interface/switchport issues were not the culprit), can you please apply the following change to your Vwire security policies?
Select 'Options' at the far right of the policy & check the option for 'Disable Server Response Inspection'. Commit & attempt your download tests. (Though you could probably give this option a test regardless & compare performance)
Description below:
Disable Server Response Inspection:
To disable packet inspection from the server to the client, select this check box. This option may be useful under heavy server load conditions.
Regards,
Bryan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
