https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644928#M1091638 Hi,<BR /><BR />So to confirm, hops 7 and 8 are directly connected using ethernet cable<BR />(i.e no L2 network between them or ISP is not hiding IPs).? This is<BR />important to confirm cuz you might be having another network in between or<BR />a microware link for example which can add latency.<BR /><BR />Next, if FTD CPU is high, it can cause slowness and its important to know<BR />why a single CPU is at high usage continuously (you might be having an<BR />elephant flow which is constantly inspected by FTD such as backup).<BR /><BR />Here is a good resource for troubleshooting.<BR /><BR /><A href="https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3121.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3121.pdf</A><BR /><BR />**** please remember to rate useful posts<BR /> Wed, 06 Jul 2022 11:18:45 GMT Mohammed al Baqari 2022-07-06T11:18:45Z https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644664#M1091622 <P>Multiple users have recently reported connection slowness to an APP VM that they have access to through an FTD HA Pair in our Colo DC. After running a trace from their access switch to the server that sites behind the firewall, I noticed that while going through the egress interface of the FTD alone is around 75ms on average. We do not do any heavy L7 packet inspection, just L3/L4 Security Rules, so I am a bit confused about the reason for the high latency. Is this latency time normal to see on an FTD? Is there any possible way to work to bring this time down? Thanks.</P> <P>&nbsp;</P> <P>1 172.30.254.70 2 msec<BR />172.30.254.68 2 msec<BR />172.30.254.70 2 msec<BR />2 172.30.254.0 2 msec<BR />172.30.254.2 3 msec<BR />172.30.254.0 1 msec<BR />3 172.30.211.253 2 msec 3 msec 1 msec<BR />4 172.30.77.10 1 msec 2 msec 1 msec<BR />5 10.62.250.153 4 msec 4 msec 4 msec<BR />6 10.251.5.106 [MPLS: Label 24369 Exp 0] 5 msec 5 msec 5 msec<BR />7 10.251.15.113 4 msec 4 msec 4 msec<BR /><STRONG>8 10.93.16.1 76 msec 75 msec 78 msec&nbsp; &nbsp; FTD EGRESS INTERFACE (NEXT HOP SERVER)</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>UPDATE:&nbsp;</STRONG>I have noticed that within FMC, the CPU0 is currently sitting around 85-90%. Could this be a legit reason for the high latency? If so, could a possible reboot solve this? Thanks.</P> Tue, 05 Jul 2022 23:34:15 GMT https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644664#M1091622 CarsonDavis56998 2022-07-05T23:34:15Z https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644870#M1091635 <P>even though you not using the L7 inspection on FTD but by default if no rules are configured the default policy kicks in. what you can do is create a L7 ACP rule and put the server and user in "Trust". by doing this FTD will not do a default policy check.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html" target="_self">Here</A>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="trust.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/155247i0B524617A4735070/image-size/large?v=v2&amp;px=999" role="button" title="trust.PNG" alt="trust.PNG" /></span></P> Wed, 06 Jul 2022 09:05:28 GMT https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644870#M1091635 Sheraz.Salim 2022-07-06T09:05:28Z https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644928#M1091638 Hi,<BR /><BR />So to confirm, hops 7 and 8 are directly connected using ethernet cable<BR />(i.e no L2 network between them or ISP is not hiding IPs).? This is<BR />important to confirm cuz you might be having another network in between or<BR />a microware link for example which can add latency.<BR /><BR />Next, if FTD CPU is high, it can cause slowness and its important to know<BR />why a single CPU is at high usage continuously (you might be having an<BR />elephant flow which is constantly inspected by FTD such as backup).<BR /><BR />Here is a good resource for troubleshooting.<BR /><BR /><A href="https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3121.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3121.pdf</A><BR /><BR />**** please remember to rate useful posts<BR /> Wed, 06 Jul 2022 11:18:45 GMT https://community.cisco.com/t5/network-security/questionable-ftd-egress-latency/m-p/4644928#M1091638 Mohammed al Baqari 2022-07-06T11:18:45Z