Astaro Performance vs direct connection

khardeveld · #1 (**permalink**) 06-27-2009, 09:33 AM

We are currently using Astaro 7.401. Our ISP provides a 10 Mb connection on the fiber. If I connect the original ISP router and connect that to my laptop, I get about 9Mb max both up and down (using various speedtest sites, speedtest.net e.g).

If I connect our Astaro to the fiber and open the firewall completely (allow any traffic to any) I get about the same performance down, but max 4Mb up.

If I try the same test with firewall active, using Astaro's proxy with my browser, I get a huge download (thanks to the cache), but a max 1.7Mb upload. Enabling or disabling virus checks in the HTTP proxy settings does not make a big difference.

I can't explain the difference in Up/Down. We also get user complaints who for instance are using ftp / scp /vpn connections and notice signicifant difference in download/upload speeds (upload is much slower).

Is there a way to find out what is causing this difference or a way to tweak traffic?

BAlfson · #2 (**permalink**) 06-27-2009, 05:01 PM

That seems unusual. Can you share more about your situation?

On what hardware are you running Astaro?

If you turn caching off, what do you see in download performance? What do you have in 'Local networks' in 'IPS global settings'?

Show the 'Summary' from the daily Executive Report covering the day you ran the above tests. Also, 'Top 10 Servers' and 'Connections'.

Cheers - Bob

khardeveld · #3 (**permalink**) 06-27-2009, 08:38 PM

I'm running my Astaro on an ASUS P5S800-VM with Intel PIV, 2 GB internal memory, 3 3Com 3c905C network cards (PPOE, internal and DMZ), 80GB harddisk. Dashboard shows almost no CPU acitivity during the tests, no swap and log and data disks are barely used.

Local networks in IPS global are the internal and DMS network. I tried disabling IPS, but no effect.

With cache turned of, I get a 229 ms ping (14 ms if no proxy and firewall open), 24Mb down and 1.7Mb up (9/9 with ISP router and 9/4.5 with no proxy and firewall off). I used speedtest.net for these results, other sites report about the same

Info from Executive report of today:

Summary
Top10 server
connections

Most tests were done around 10:00 am.

Thanks!

BAlfson · #4 (**permalink**) 06-28-2009, 01:04 AM

I would be interested to hear from someone at Astaro on this. If you have Astaro Support, I'd like to hear what they say about this. It just doesn't seem possible since there's so little going on when you send something out.

Billybob · #5 (**permalink**) 06-28-2009, 02:04 AM

The IDS throughput won't be a factor at these speeds. Netfilter (firewall) with advanced routing rules can run multiple gigabit interfaces without breaking a sweat. I would think its a hardware issue but I would double check my cables also. It seems that your cards are in the HCL for astaro 7 but most people start with NIC cards when troubleshooting.

Make sure you dont' have QoS turned on on any interface then under packet filter-->advanced-->enable tcp window scaling.

Now, add speakeasy.net in your skip av http exceptions list for http proxy so you can get some kind of realistic reading when using proxy and then test at speakeasy.net/speedtest. Good luck...

My 2 tests on a 10mb dsl line ppoe with IPS on for both and proxy enabled for the first and disabled for the second.

BAlfson · #6 (**permalink**) 06-28-2009, 04:04 AM

Still, I'd like to understand why.

khardeveld · #7 (**permalink**) 06-29-2009, 08:25 AM

Quote:

Originally Posted by Billybob

I would think its a hardware issue but I would double check my cables also. It seems that your cards are in the HCL for astaro 7 but most people start with NIC cards when troubleshooting.

That's one of the things I wil be trying next weekend (It's a production firewall). I checked HCL before installing, but still it could be a bad chip..

Quote:

Originally Posted by Billybob

Make sure you dont' have QoS turned on on any interface then under packet filter-->advanced-->enable tcp window scaling.

Now, add speakeasy.net in your skip av http exceptions list for http proxy so you can get some kind of realistic reading when using proxy and then test at speakeasy.net/speedtest. Good luck...

QoS is turned off. I will try the speakeasy.net, but since we get the same performance issues with scp or vpn connections, I will also try to log a call with Astaro

khardeveld · #8 (**permalink**) 07-01-2009, 08:16 PM

Did some test on my home astaro, and this time the only difference between proxy, no proxy and direct connection is minimal. Virus checks don't make any difference, like I would expect after your commens...

Speakeasy test gave much slower results, but then there is a whole ocean between me and Dallas

So I'm starting to suspect hardware issues, like BillyBob suggested. I'll replace the NIC's coming Saturday, see how that works.

The only thing I can't explain is the fact that download speeds with proxy are way faster then with direct connection, even with cache off and cleared. Any ideas ?

BAlfson · #9 (**permalink**) 07-01-2009, 09:14 PM

Quote:

The only thing I can't explain is the fact that download speeds with proxy are way faster then with direct connection, even with cache off and cleared. Any ideas ?

If the test gives impossible results, there must be a problem with the test?

William · #10 (**permalink**) 07-03-2009, 01:54 AM

clear your borwser cache and restart the browser after EVERY test so you don't get a cached result