OK. Here is a really good post from Firewall-Wizards mail list
I'm having some issues with FTP traffic through our Cisco PIX 515E.
Our corporate FTP server is located outside the firewall, and we recently upgraded the FTP server software. This resulted a noticeable increase in the speed uploading files to the server (5 MB/s+). However when attempts were made to download files from the server speeds average about 300 KB/s, rapidly fluctuating between 30KB/s and 600 KB/s. Downloading the same file to a server outside our firewall resulted in speeds of about 6MB/s.
Looking at the firewall: the default inspection scheme is enabled, and the FTP inspection is turned on. The FTP server requires active transfer mode, and everything works, albeit slowly. After turning off FTP inspection connections to the FTP server did not work until enabling passive mode, but that didn't change the speeds at all.
I should probably also mention that the PIX is not doing any NAT. All the workstations and servers here have Internet routable IP addresses (206.75.x.x).
A really good answer:
Many years ago we had a similar problem. Traffic moving one way (I forget if it was uploads or downloads) After weeks of troubleshooting, I inspected and replaced the network cable. Turns out one wire wasn't making complete contact and the slow speed was actually the result of retransmitting bad packets.
Recently we had a similar problem with traffic in both directions. Completely random. We replaced the firewall, server, etc. We were running a wireless T1. The internet provider insisted that the connection tested fine. Throughout the spring the problem became worse until one (windy) day last week when our connection became unusable. The internet provider came out and discovered trees had grown about 1/2 mile away in the path of the wireless tower. Over the spring the leaves grew in and on windy days caused havoc on the TCP transmissions.
Both incidents taught me never to rule out the lower layers when it comes to networking.
We used packet captures in both cases during the troubleshooting process.
The Firewall Wizards Archive