Forum Discussion
Scott_85950
Nimbostratus
NimbostratusFirepass is SLOW! Cisco Config Issue - 6.0.2_5
Hi Peeps,
We've been battling an unacceptably slow Firepass (4300 /1200) for over four months. Initially, we only had Outlook Web Access published and it was still slow, even with less than 30 concurrent users. We even switched all Firewall configs from Proxy Rule to Packet Filter, and still no difference.
"SOL7272" explains that latency due to communicative interaction with Cisco switches / routers was resolved on the Firepass release 6.0.1. After some tweaking with our network guys, we were able to see that the actual Cisco config was the issue even though all over servers and services were unaffected.
So, if your Firepass is slow... if you set the Eth1.x interfaces to AUTO and the Cisco devices to AUTO, the problem went away and we were able to finally see that CRC errors were eliminated when sniffing the interface as well. Our network normally runs efficiently at a duplex setting of 100 Full.
I hope that helps anyone!
Scott
Christian_BluntHi Scott,
I am interested in this as I have a FirePass deployment running 6.0.2 that has some minor performance issues.
The FirePass 4100 controllers (in a HA pair) are configured for 100/Full Duplex and the so is the Cisco Switch. We are not seeing any CRC errors in the switch log at but Web Application are slow compared to a legacy FirePass solution.
Did F5 confirm to you that the issue still exists in version 6.0.2?
Cheers,
Chris.- mal_57091Hi Guys,
If i had a dollar for the number of times i've seen FirePass performance issues which came down to mis-matched link speed and duplexing between the FirePass and the switch I'd be a rich man. By default, all FirePass network ports are set to "Auto" and depending on which RFC you read different vendors will 'default' to a different 'Auto' configuration. The only 'Auto negotiation' I've seen work reliably is GigE ports on both the FirePass (4100/4300) and the switches. So if this isn't your environment I'd strongly recommend hard setting both ends to be the same (set the FirePass to 100Mb/Full Duplex and the switch the same - for example). I even had one time where i did this on a FirePass 4300 with a Nortel switch and the FirePass still came up at 100Mb Half Duplex cause the Nortel switch was doing some whacky stuff so the point is even after you configure it - go back and check!
The other things to look for in regards to FirePass performance is caching and compression. As a rule of thumb, caching is generally good and compression is generally bad. Depending on what you're using FirePass for (Network Access, Application Access, etc) try messing about with the compression and/or caching settings to see if that helps. Generally, these should only be an issue if you're CPU bound (check the CPU load graphs on the device or via SNMP monitoring if you have it setup).
Hope this helps you out.
Cheers,
Mal 
Scott_85950Hi CBlunt, no they did not yet.- Scott_85950Thanks Mal.