11-25-2008 06:32 AM
I have an ACE module where we are using HTTP inspection to add security using HTTP inspection. This is the current configuration for inspection is shown below.
When this configuration is enabled in the service policy, then web performance slows by 100%, that is, it takes twice as long for pages to load. The home page is not very big (less than 1MB and takes only 45 HTTP requests).
Anyone have any pointers on the reason for the delay ?
class-map type http inspect match-any HTTP_INSPECT_L7CLASS
2 match port-misuse im
3 match port-misuse p2p
4 match port-misuse tunneling
5 match transfer-encoding identity
6 match request-method ext copy
7 match request-method ext edit
8 match request-method ext getattr
9 match request-method ext getattrname
10 match request-method ext getprops
11 match request-method ext index
12 match request-method ext lock
13 match request-method ext mkdir
14 match request-method ext move
15 match request-method ext revadd
16 match request-method ext revlabel
17 match request-method ext revlog
18 match request-method ext revnum
19 match request-method ext save
20 match request-method ext setattr
21 match request-method ext startrev
22 match request-method ext stoprev
23 match request-method ext unedit
24 match request-method ext unlock
25 match request-method rfc delete
26 match request-method rfc trace
class-map type http inspect match-any HTTP_INSPECT_L7CLASS_2
2 match request-method rfc get
3 match request-method rfc head
4 match request-method rfc post
5 match request-method rfc put
6 match request-method rfc options
7 match request-method rfc connect
policy-map type inspect http all-match http-inspect
description standard http inspection policy
class HTTP_INSPECT_L7CLASS
reset log
class class-default
permit
policy-map type inspect http all-match http-inspect-2
description standard http inspection policy
class HTTP_INSPECT_L7CLASS_2
permit
class class-default
reset log
policy-map type loadbalance first-match APACHE_80_sfarm
class class-default
sticky-serverfarm APACHE-GROUP
policy-map multi-match 3.co.uk_web_vip
class APACHE_92.41.252.3_PORT_443
loadbalance vip inservice
loadbalance policy APACHE_443_sfarm
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 17 vlan 570
class APACHE_PORT_80
loadbalance vip inservice
loadbalance policy APACHE_80_sfarm
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 17 vlan 570
inspect http policy http-inspect-2
11-25-2008 11:43 AM
Turning on inspection will drop performance pretty dramatically. For example ACE module doing just L4 load balancing is rated at 348K CPS, turn on inspection and that number drops to around 40K, add L7 load balancing and it goes even lower.
11-25-2008 11:55 AM
Thanks for your reply, in this case the ace has no load, just a test configuration with less than a meg of test load.
Is doubling latency expected behaviour when enabling inspection ?
11-25-2008 12:23 PM
I would't necessarily expect a doubling of latency (but probably a packet capture from the ace tengig would be useful) Inspection can aggravate out of order packets so you may want to try turning off randomization as follows:
parameter-map type connection TEST
no random-sequence-number
the apply under
class APACHE_PORT_80
connection advanced-options TEST
11-25-2008 01:51 PM
Given that the Ace is a second security layer after a fwsm, would it be possible the randomisatopn (or some other feature ) being performed twice is a possible cause ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide