Priotizing Traffic on PIX

bronx

Hey guys (Off the topic of course...), does anyone know how to make sure that a certain service of particular port ( 443 in this case) gets priority. I have this problem at work with users complaining that the secure sites are taking ages to download, hence affecting online transactions. Am using a PIX 506E.

GT-Rob

Is QoS available on the pix?


What code are you running?

bronx

These are the details of the PIX
_______________________
policeman# sh ver

Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)

Compiled on Tue 21-May-02 08:40 by morlee

policeman up 237 days 23 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000d.29e1.598e, irq 10
1: ethernet1: address is 000d.29e1.598f, irq 11

policeman# sh flash
flash file system: version:2 magic:0x12345679
file 0: origin: 0 length:2494520
file 1: origin: 2621440 length:6705
file 2: origin: 2752512 length:3548
file 3: origin: 2883584 length:3528136
file 4: origin: 8257536 length:280
policeman#

APA

I'm certain the PIX series do not support traffic prioritization policies....

Could you give us more insight into what your users are experiencing?? As it may not be QoS issue.....

Do they sit behind a proxy server (ISA, WebMarshal etc)???
Are you graphing your internet bandwidth usage? if yes, what are you seeing?? Is the link being maxed out???

Have you tested this from outside your network to ensure it isn't a website issue?

bronx

Good point there. My traffic shaping is normal. I have tried to check B/W utilization at the point that the user is doing a transaction and it is in a fine shape. We do have ISA 2000 running on our network and I can check from that point if at all it might be causing the problem. Thing is, the bank says we are their only client complaining about the slowness of the site but all their other clients are fine. The bank ended up saying I should try traffic priotization.

Am trying to do a small research and whatever my finding, I will let you know

mikearama

You can prioritize traffic on a PIX, just like a router... it just has to be done from the CLI/MQC, there's no provision in the PDM.

And it's identical in structure to doing it on a router... create the classes, assign to a policy and define actions, and then assign policy to the interface.

By the way, according to what I've read from cisco, best practice is to put QoS on the router that typically sits in front of a PIX, if available, and not on the PIX. However, it is possible to do both if the PIX appears to be a bottleneck.

Here's a link that may prove useful:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Mike

bronx

Thats great. OK, now am going to try out all the available options as per your suggestions. Thanks guys

APA

yeah that's the old school priority queue.... which is susceptible to starving lower priority queues.... as it services only the priority queue as long as there is packets in that queue.....

even though it does allow the class-maps to use the priority command... you cannot set a specifc bandwidth parameter so as long as there is traffic it will forget about the lower queues....

Youare correct about only being able to do this via CLI however... and also about the best practice to mark before the firewall via a router...

bronx - If the link is not congested... prioritizing the traffic is not going to affect the speed issues you are having with the website..... as QoS is used to ensure a higher level of service for the traffic specified when the link is congested....

Have you tested other https(443) websites to see whether they are slow as well??

GT-Rob

Prioritization technically comes in before full congestion, as it moves packets to serialization ahead of other packets.

However, https traffic is not delay sensitive, so if you are ONLY feeling the slowness on 443, and everything else is fine, I would guess your problem is somewhere else. Im not saying you can't try it, but I doubt it will make a noticeable difference.


Maybe something with end user settings? Proxy? **** users? :P

bronx

A.P.A wrote: »

bronx - If the link is not congested... prioritizing the traffic is not going to affect the speed issues you are having with the website..... as QoS is used to ensure a higher level of service for the traffic specified when the link is congested....

Have you tested other https(443) websites to see whether they are slow as well??

I think I have learnt something here. I never knew that priotizing came in handy when the link was congested. In that case, I will be looking at other possible causes such as the ISA 2000 on our network. Of course I have tried out other secure links and they have been behaving the same way. Right now am making some changes on the ISA and then I will monitor the changes. Then I will try something on the router. As some1 suggested, making a change on the firewall might not be of much help as it sits inside our LAN but internet traffic comes in through our router. So, I will make the changes on the router and not the firewall.

This kind of help is really great. I have gotten to learn something even if nothing goes +ve fter the changes