Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12283
Views
20
Helpful
3
Replies

Cisco ASA 'object-group-search' Feature - Vague Caveats

Go to solution
bwallander
Level 1
Level 1

‎04-02-2015 02:22 PM - edited ‎03-11-2019 10:43 PM

Hello,

I have a general question for Cisco/anybody who might have used the 'object-group-search' feature and can explain this somewhat vague performance caveat (in red):

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/o.html#pgfId-1866962

The object-group-search command optimizes all ACLs in the inbound direction.

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

When the object-group-search access-control command is enabled on an ASA, with a significant number of features enabled, a large number of active connections and loaded with a large ACL, there will be a connection drop during the operation and a performance drop while establishing new connections.

 

Does this effectively mean that the firewall will drop new connections and be reduced on total number of concurrent overall connections?

 

We're interested in compacting our rather large object-groups for a performance gain but really could use [any] elaboration around the above.

 

Cheers

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
bwallander
Level 1
Level 1
In response to Vibhor Amrodia

‎04-03-2015 07:28 AM

Thank you Vibhor, this looks great.

Is transactional commit model, when enabled, able to compliment object-group-search? Or are they competing alternatives?

I'm speaking more generally as I've got models and software across the spectrum, with max concurrent connections anywhere between 5 and 500,000. One thing they have in common is a very large ACL which causes packets to be dropped during modification.

View solution in original post

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to bwallander

‎04-03-2015 07:52 AM

Hi,

Sorry , hit the endorse button by mistake :)

Transactional commit is mainly used for these reasons:-

  • Preventing packet drops while compiling large rules during high traffic rates.
  • Reducing rule compilation time while updating a large number of similar rules.

When we talk about Oject Group search , it will be used for:-

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

Now , the performance impact will be negated with the Transactional commit enabled.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

3 Replies 3

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-03-2015 04:20 AM

Hi,

Which ASA code are you using ? Also , how many connections do you normally have on the ASA device and also the output of this command:-

show access-list | in elements

If the number of ACL are very large , then the new connections might see some issues with the ACL lookup but is normally is not seen and the traffic is matched correctly.

I would also recommend , Transactional commit model:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_rules.html#pgfId-1270273

Available for ASA 9.1.5 and above.

Thanks and Regards,

Vibhor Amrodia

Go to solution
bwallander
Level 1
Level 1
In response to Vibhor Amrodia

‎04-03-2015 07:28 AM

Thank you Vibhor, this looks great.

Is transactional commit model, when enabled, able to compliment object-group-search? Or are they competing alternatives?

I'm speaking more generally as I've got models and software across the spectrum, with max concurrent connections anywhere between 5 and 500,000. One thing they have in common is a very large ACL which causes packets to be dropped during modification.

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to bwallander

‎04-03-2015 07:52 AM

Hi,

Sorry , hit the endorse button by mistake :)

Transactional commit is mainly used for these reasons:-

  • Preventing packet drops while compiling large rules during high traffic rates.
  • Reducing rule compilation time while updating a large number of similar rules.

When we talk about Oject Group search , it will be used for:-

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

Now , the performance impact will be negated with the Transactional commit enabled.

Thanks and Regards,

Vibhor Amrodia

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card