the problem of Download speed degradation on Vwire mode

Reply
Highlighted
L3 Networker

the problem of Download speed degradation on Vwire mode

Hello all.

I had a chance to demo for prospective customer and PA was installed at customer’s real networks with V-wire mode.

After installed I tried to speed test using speed test sites.

Upload was ok, but download speed was degradation. (I tested at firmware 3.1.9 and 4.0.1, but both results were same.)

All of VWire interfaces speed/duplex were in Auto-negotiation, and interfaces were established with 1000M/full duplex.

Please let me know that resolve way, if someone who has similar experience.

Eugene.

Highlighted
L4 Transporter

Re: the problem of Download speed degradation on Vwire mode

Eugene,

Can you test with 4.0.3? Also without the PAN, what speeds are you getting?

Thanks

Highlighted
Not applicable

Re: the problem of Download speed degradation on Vwire mode

I had the same problem with threat profiles active (20Mbit/s max on a 2020) that gone with 4.0.3.

Regards,

Riccardo

Highlighted
L3 Networker

Re: the problem of Download speed degradation on Vwire mode

I tested at PA 3.1.9, 4.0.1 and 4.0.3 with Anti-virus and anti-spyware profiles, but results were same.

if put into PAN in customer's networks, speed was degradation at PAN3.1.9, 4.0.1 and 4.0.3.


i think it is not a problem of PAN-OS version.

Thanks,

Highlighted
L4 Transporter

Re: the problem of Download speed degradation on Vwire mode

Eugene,

Have you checked the switches for speed and duplex mismatch errors?

What speeds does the report give if done in front of the  Palo Alto?

Thanks

James

Highlighted
L3 Networker

Re: the problem of Download speed degradation on Vwire mode

Hello James,

A 'show interface all' from CLI will show you the current, negotiated speed/duplex settings on the PAN. Could we also verify that all appears well on the switch uplinks as well (speed/duplex, errors, resets, etc...). Both the FW & the switch will either need to be configured as Auto/Auto or hardcoded as well, otherwise potential duplex mis-matches could occur. (Both ends of the Vwire should be negotiating at the same speed)

Have you attempted a baseline speed test for comparison prior to implementing any type of security profiles?

Running the following command from CLI will also give you an idea of CPU load, etc... associated with the Dataplane during various intervals: show running resource-monitor

Assuming heavy load as well as potentially high dataplane resource utilization, If possible (preferably during a maintenance window & confirming that interface/switchport issues were not the culprit), can you please apply the following change to your Vwire security policies?


Select 'Options' at the far right of the policy & check the option for 'Disable Server Response Inspection'. Commit & attempt your download tests. (Though you could probably give this option a test regardless & compare performance)


Description below:


Disable Server Response Inspection:
To disable packet inspection from the server to the client, select this check box. This option may be useful under heavy server load conditions.

Regards,


Bryan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!