Bear with me....
So we have throughput issues in one direction and only if traffic passes _two_ firewalls.
iperf shows TCP throughput dropping from the nominal 930 Mbps to less than 600 Mbps on the _outgoing_ flows from the server.
In the experiment in the diagram, the machines are VMs but it doesn't matter, the effect is the same when using a different physical destination.
Legend:
* fat lines: 10G links
* thin lines: 1G links
* dotted lines: deactivated for test
* red line: traffic flow
Facts:
* Throughput from the server to a machine located behind FW1 but not going through FW2 => Ok
* Throughput from a machine located between FW1 and FW2 to a machine behind FW2 => Ok
* Throughput from the server to a machine located behind behind FW2 => NOT OK
When we force Link 1A to 1Gbps then throughput is ok. It thus seems that some traffic mgmt is in order. However, I have yet to determine what exactly is going on, e.g. what buffers are overflowing... Why do we see this only when both firewalls are involved!!?? If the traffic funnel at FW1 is the reason, then it should be going downhill from there and not only FW2.
Any thoughts on the root cause, remedy, or more tests to nail this down?
No comments:
Post a Comment