cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2700
Views
5
Helpful
5
Replies

ASA-SSM-10 inspection load 100% (version 7.0(5a)E4

Erik.Verkerk_2
Beginner
Beginner

Hi all,

I have a challenge with the IPS module in the ASA5520, the ASA-SSM-10. When we start a test to connect to the webservers I get a inspection load of 100% and traffic/performance will slow down.

We test with 63000 sessions per minute which perform a load of: from the test-servers(clients) to the web-servers of 20.000 kbits/sec and traffic from the web-servers back to the test-servers(clients) 75.000 kbits/sec.

Can you please advise what to do because we cannot go live with this environment only when this is fixed.

Thanks in advance,

Erik Verkerk.

1 Accepted Solution

Accepted Solutions

We have not been using inspection load to determine proper sensor performance, instead we've relied on "missed packet percentage" reported by the sensor. When the sensor gets into trouble they will start to miss packets for inspection, this leads to the sensor incorrectly determining the TCP state for some of the connections. This causes the sensor to use more resources than necessary to inspect traffic, leading to more missed packets.

This is affectionaly called the "death spiral" and we try to avoid it as much as possible.

Cisco has a long and proud history of providing "blue sky" performance numbers for their products. We used to discount their IPS sensor performance numbers by half, but they've made improvements over the years and now we only take about 1/3 off the reported values. You can see this for yourself with real, live production traffic.

I havn;t found the number of signatures to significantly effect sensor performance unless you're hitting them abnormally hard or have turned on a large number or tuned them to perform lots of actions per second.

- Bob

View solution in original post

5 Replies 5

rhermes
Rising star
Rising star

If I understand your bandwidth numbers correctly you are passing 20 Mb/s of web traffic in one direction and 75 Mb/s in the other direction, for a total of 95 Mb/s of traffic you want the AIP-SSM10 module to inspect.

In our production AIP-SSM10 modules we try to keep total traffic below 75 Mb/s. I think you're overloading your sensor.

Back off your test traffic and you can see if your experience matches ours.

- Bob

Hi Bob,

thanks for you reply/suggestion and you understood the numbers correctly. Unfortunately the AIP-SSM-10 module must inspect this kind of load. I can test, within 8 hours time, a lower amount of traffic.

I do have some questions for you:

When you have a traffic of 75Mb/s what is your inspection load saying 80%?

Regarding the specs Cisco tells in the documentation of the ASA5520 that when you are using a AIP-SSM-10 you can firewalling and IPS a maximum of 225Mb/s. Now I understand that this is probably the commercial figures but Iám only looking for half of this, 95MB/s. Do you have an explaination for this?

Perhaps the amount of signatures is too much: I have 1500 signatures active, can you tell how much active signatures you run in your AIP-SSM-10?

Last but not least question:

It is hard for me to find some usefull documentation, specific troubleshooting the IPS, do you have suggestions?

I hope you have the time to answers these questions it certainly helps me to understand the IPS and fix the problem.

Many thanks in advance,

Erik.

We have not been using inspection load to determine proper sensor performance, instead we've relied on "missed packet percentage" reported by the sensor. When the sensor gets into trouble they will start to miss packets for inspection, this leads to the sensor incorrectly determining the TCP state for some of the connections. This causes the sensor to use more resources than necessary to inspect traffic, leading to more missed packets.

This is affectionaly called the "death spiral" and we try to avoid it as much as possible.

Cisco has a long and proud history of providing "blue sky" performance numbers for their products. We used to discount their IPS sensor performance numbers by half, but they've made improvements over the years and now we only take about 1/3 off the reported values. You can see this for yourself with real, live production traffic.

I havn;t found the number of signatures to significantly effect sensor performance unless you're hitting them abnormally hard or have turned on a large number or tuned them to perform lots of actions per second.

- Bob

Hi Bob,

thanks for your time and reply. Indeed I just see for myself with real data that half the amount of traffic is not suitable for the IPS here.

I have to find the error, I think I will open a TAC case to see whats wrong.

Erik.

Hi all,

after a TAC level1 service request Cisco found the problem. It is the amount of traffic whats going through the IPS.

Cisco told that ~20mbit incoming and ~80mbit back to the interface is total of 100mbit which is more than the IPS can handle. We need another IPS.

Hope this information helps.

Thanks,

Erik.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers