Solved: Latency through a vFTD transparent NGIPS

sjhloco · ‎03-15-2019

Hi,

With a vFTD setup as an inline-set transparent NGIPS using the bare minimal settings we get huge spikes in ICMP latency for traffic going through it. The example in this post is just a test lab to keep it simple and prove definitely that it is the IPS policy that causes the latency. We experienced the same with a more complicated PoC setup. This example setup It is using the following settings:

-One ESX server - Is very lowly utilized.

-One vFTD 6.3 in transparent mode with 8CPUs and 8gb RAM - Nothing run through this except the tests.

-One inline pair connects to port-groups 98 and 99 on their own dedicated local vswitch.

-Two servers 2012 VMs with 1vnic are on VLAN 98 and vlan 99 respectively.

An Access Control Policy is applied to the vFTD with the only setting being the Default Action set to Access Control: Trust All Traffic. When we ping between the VMs we get a low latency (<1ms) as would be expected.

Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 10ms, Average = 0ms

Next we created a new Intrusion policy set to Connectivity over Security (so only about 500 signatures enabled) and applied that to the Default Action of the Access Control policy. After this policy is applied the latency between the two windows jumps up and is very unstable:

Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 21ms, Average = 11ms

Does anyone know if this is to be expected with the vFTD and if you would see the same issue with physical FTDs? The number of IPS signatures is very low so guess isnt the cause. Is there any other settings that could be causing this? I have also tried a tcping on port 80 and although the minimum and maximum is a lot more, the average seems quiet consistent so this could be just due to the way it treats ICMP packets.

No IPS:

100 probes sent.
100 successful, 0 failed. (0.00% fail),

Approximate trip times in milli-seconds:

Minimum = 1.091ms, Maximum = 31.7771ms, Average = 18.196ms

With IPS:

100 probes sent.
100 successful, 0 failed. (0.00% fail),

Approximate trip times in milli-seconds:

Minimum = 11.092ms, Maximum = 41.755ms, Average = 18.372ms

Would be keen to hear if anyone else has tried using vFTDs in this manner and are experiencing any problems issues due to the latency. We have put traffic through a vTFD in a small PoC environment and even with this latency we didnt notice any performance issues. However in production we have SaaS applications so worry about implementing this if it is affecting latency this way for all traffic through it.

Thanks

sjhloco · ‎07-01-2019

May as well answer my own question, appears this is down to bug CSCvo05052.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo05052/?rfs=iqvred

We are only using firepower as a NGIPS with the default action of using an Intrusion policy so added a rule to bypass any ICMP traffic so that it doesn't go through the inspection policy. Have had NGIPS up for past few months with production traffic going through it and no issues noticed.

View solution in original post

sjhloco · ‎03-15-2019

A correction on the TCP traffic through the FTD. I was assuming the 20ms was the baseline for TCP ping between the machines. If I do a tcping between the machines direct (not through the vFTD) the latency is below 1ms. Looks looks for TCP traffic even without IPS on, any traffic going through the FTD gets 20ms latency added to it.

sjhloco · ‎07-01-2019

May as well answer my own question, appears this is down to bug CSCvo05052.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo05052/?rfs=iqvred

We are only using firepower as a NGIPS with the default action of using an Intrusion policy so added a rule to bypass any ICMP traffic so that it doesn't go through the inspection policy. Have had NGIPS up for past few months with production traffic going through it and no issues noticed.