Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
3
Replies

AIM-IPS Performance Limits?

kstarnes11
Level 1
Level 1

‎12-25-2010 09:16 AM - edited ‎03-10-2019 05:13 AM

We are using an AIM-IPS module in a 1841 and it has been working fine, however we just upgraded our broadband link and didn’t notice a increase in throughput.

We were consistently getting about 16 meg download speeds and this didn’t change with the new service tier.  Removing the IPS module (no ids-service module monitoring inline) does give us the new speeds (35+ meg down)

I thought the AIM-IPS module had a limit of 45 meg throughput, before I trouble shoot more, shouldn’t I expect throughput closer to the 45 meg limit?

Labels:
0 Helpful
3 Replies 3

fadlouni
Level 1
Level 1

‎12-27-2010 02:54 AM

Hi.

several factors can limit throughput:

1- make sure you are on a recent release on the ips module to make sure you have the latest performance tweaks.

2- check cpu inspection load on the ips module:

sh statistics virtual-sensor | inc Load

if it's very high this will limit throughput and you'll need to tweak your current set of signatures to be less busy.

3- make sure the router side is also not having performance issues (check "show proc cpu").

4- are there any features configured on the router side that could be cpu intensive? like zone based firewall, tcp settings etc...

Regards,

Fadi.

0 Helpful

kstarnes11
Level 1
Level 1
In response to fadlouni

‎12-27-2010 11:55 AM

Ok thanks for the tips - I will do some more investigation.

It is running a zone based firewall, but by just removing the "ids-service module" lines I saw a decent gain in throughput.

That is, zone firewall still configured but with no ids module: we were getting the expected speeds.  I was thinking that while the module might add a little latency, since it had its own CPU/Memory it shouldn't cause such a degradation.

I will do some more testing/monitoring - I guess I really wanted to make sure that the ids module was capable of faster performance than I was seeing (i.e. I wasn't troubleshooting a performance problem that wasn't really a problem but was within spec for the device)

0 Helpful

kstarnes11
Level 1
Level 1
In response to kstarnes11

‎12-27-2010 07:03 PM

Ok a little more details:
IPS Software: 7.0(4) E4
I removed the zone firewall and all VPN configuration from the router and now have a 1841 with a pretty minimal config.
With only NAT, no firewall, no routing protocols, no IPS - it runs a pretty constant 60Mbits throughput between a inside and outside host (using iperf)
Insert the ids-service-module monitor into either (or both interfaces) and the throughput drops from 60Mbits to 20Mbits.
Interestingly the throughput stays the same even with both FastEthernet interfaces configured for the IPS.  i.e. It never drops below 20Mbits.
The router CPU is @ 85% (with and without the IPS enabled)
The IPS module inspection load is constant at about 22%
Any thoughts?
Thanks!!
77744-plain-startup-config.txt.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card