topic Re: AIP-SSM 20 Throughput in Network Security

AIP-SSM 20 Throughput

msdesai — Sun, 10 Mar 2019 11:17:05 GMT

Hi,

We are in process of installing the AIP-SSM20 modules in ASA5520 (Active/passive). Currently its configured in promiscuous mode /w monitoring all the outside and dmz traffic... I have also tuned various signature to troubleshoot and increase the AIP-SSM20 throughput but I am seeing below messages randomly throughout the day:

evStatus: eventId=1218593040808071564 vendor=Cisco

originator:

hostId: caipssm01waynpa

appName: interface

appInstanceId: 340

time: Sep 03, 2008 20:19:16 UTC offset=-240 timeZone=GMT-05:00

netInterfaceMissedPacketThresholdExceeded:

description: GigabitEthernet0/1 : Missed-packet threshold was exceeded. 3% of packets were missed.

interfaceName: GigabitEthernet0/1

I was wondering if anyone had ran into this issue...

I am running 6.1.1E2 and ASA OS 7.2.1...

I appreciate any help

Thank in a advance

Re: AIP-SSM 20 Throughput

Farrukh Haroon — Thu, 04 Sep 2008 06:11:47 GMT

This is the throughput of the AIP-SSM20 on the 5520 as per Cicso:

375 (with AIP SSM-20)

You can monitor the ammount of data being sent to the IPS via snmp etc. and double check this.

Maybe you need to re-think your capture ACL used to send traffic to the IPS module.

Regards

Farrukh

Re: AIP-SSM 20 Throughput

msdesai — Thu, 04 Sep 2008 16:40:27 GMT

Thanks Farrukh for quick response.

Do you know any snmp monitoring tool that I can use to monitor the amount of data being sent to the IPS.

I don't think we are getting 375M throughput but I can't say by sure.

Thanks again

Re: AIP-SSM 20 Throughput

rhermes — Thu, 04 Sep 2008 17:38:47 GMT

I'm doubtfull that the orginal poster is running his sensor anywhere near the "offical" throughtput limit.

Cisco's IPS throughput numbers are fantasy.

With real world traffic we begin to see those missed packet percentage (along with 100% CPU utilization at about 1/3 of the Cisco rated throughput numbers. Keep in mind that Cisco always adds both directions of traffic together to get their whole number, so if they rate a SSM-20 module in a ASA 5520 for 375 Mb/s you can expect about 125 Mb/s or a little better than a DS-3 worth of IPS functionality. If you want to verify this at home, load up your sensor with some FTP sessions and see when your CPU hits 100% and you start getting missed packet % events.

Re: AIP-SSM 20 Throughput

rhermes — Thu, 04 Sep 2008 20:19:17 GMT

MRTG will work, as would any SNMP pooler.

For somthing qucik, you can use the GUI in the IDM, or pull the stats out of the CLI using the "show status analysis" and "show status interface" commands. A little math is involved in using the CLI show interface command to determine bandwidth numbers: request the stats 60 seconds apart, subtract the first B/s number from the second, devide by 60 (seconds) and multiply by 8 (Bytes to Bits)

Re: AIP-SSM 20 Throughput

msdesai — Fri, 05 Sep 2008 20:26:59 GMT

Thanks. I have configured the MRTG and monitoring the Gig0/1 interface.

Thanks again

Re: AIP-SSM 20 Throughput

msdesai — Fri, 05 Sep 2008 21:37:16 GMT

After monitoring for few hours. I am getting the Missed packets events with MRTG showing 11M traffic on Gig0/1 interface.

evStatus: eventId=1218593040808080769 vendor=Cisco

originator:

hostId: caipssm01

appName: interface

appInstanceId: 340

time: Sep 05, 2008 22:05:46 UTC offset=-240 timeZone=GMT-05:00

netInterfaceMissedPacketThresholdExceeded:

description: GigabitEthernet0/1 : Missed-packet threshold was exceeded. 14% of packets were missed.

interfaceName: GigabitEthernet0/1

MRTG Graph data:

day

Max Average Current

In 1414.9 kB/s (3.2%) 816.5 kB/s (1.9%) 1227.9 kB/s (2.8%)

Out 1415.0 kB/s (3.2%) 816.5 kB/s (1.9%) 1227.9 kB/s (2.8%)

Looks like I am not even getting 88Mbs throughput with AIP-SSM20 module.

Any recommendation?

Thanks in a advance

Re: AIP-SSM 20 Throughput

rhermes — Tue, 09 Sep 2008 17:32:17 GMT

Wow! That is a TERRIBLE performance number.

What is your CPU utilization?

If I take your MRTG peak values, I come up with 22.6 Mb/s of inspection traffic.

I assume you are using the stock Cisco signature settings. You can inprove your performance slightly by disabling the uselss noisy signatures (determined by performing analysis) and placing the sensor inside your firewall to reduce the event count. This typically does not make a significate imporvement. You will not be able to double your performance.

You DID keep your reciept for those sensors, right?

Re: AIP-SSM 20 Throughput

msdesai — Wed, 10 Sep 2008 19:56:13 GMT

Hi,

I was not monitoring the CPU usage when the inspection load hit 100%. But I will enable the CPU monitoring in MRTG. Also correct numbers for the MRTG peak are below:

The statistics were last updated Friday, 5 September 2008 at 23:40,

at which time 'caipssm01waynpa' had been up for 11 days, 5:35:38.

`Daily' Graph (5 Minute Average)

Max Average Current

In 11.9 MB/s (27.2%) 797.7 kB/s (1.8%) 337.2 kB/s (0.8%)

Out 11.9 MB/s (27.2%) 797.9 kB/s (1.8%) 337.2 kB/s (0.8%)

Which come up with 88Mbps. I have tried disabling few signature but no significant performance gain..

Yes, we do have the receipt for the sensors but we bought this more then six months ago..

I am wondering if anyone else ran into similar issue...

Thanks

Re: AIP-SSM 20 Throughput

michael.stephen — Wed, 10 Sep 2008 21:57:57 GMT

I have ASA5540 with SSM20's installed and have experienced these issues as well. The dropped packets on the int gig0/1 are definitely indicative of performance issues. Look for "total receive errors" & "total receive FIFO overruns" to also help determine if you are sending so much traffic that you are overwhelming (oversubscribing) the SSM. Cisco TAC did advise me to use ACL's to tune out any known streaming video (we have camera traffic) as well as any IPSEC (the SSM's can't do much with encrypted traffic, so might as well not send this through this inspection.) This will help some with the load, if you are running this traffic.