cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10462
Views
20
Helpful
3
Replies

Cisco ASA 'object-group-search' Feature - Vague Caveats

bwallander
Level 1
Level 1

Hello,

I have a general question for Cisco/anybody who might have used the 'object-group-search' feature and can explain this somewhat vague performance caveat (in red):

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/o.html#pgfId-1866962

The object-group-search command optimizes all ACLs in the inbound direction.

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

When the object-group-search access-control command is enabled on an ASA, with a significant number of features enabled, a large number of active connections and loaded with a large ACL, there will be a connection drop during the operation and a performance drop while establishing new connections.

 

Does this effectively mean that the firewall will drop new connections and be reduced on total number of concurrent overall connections?

 

We're interested in compacting our rather large object-groups for a performance gain but really could use [any] elaboration around the above.

 

Cheers

2 Accepted Solutions

Accepted Solutions

Thank you Vibhor, this looks great.

Is transactional commit model, when enabled, able to compliment object-group-search? Or are they competing alternatives?

I'm speaking more generally as I've got models and software across the spectrum, with max concurrent connections anywhere between 5 and 500,000. One thing they have in common is a very large ACL which causes packets to be dropped during modification.

View solution in original post

Hi,

Sorry , hit the endorse button by mistake :)

Transactional commit is mainly used for these reasons:-

  • Preventing packet drops while compiling large rules during high traffic rates.
  • Reducing rule compilation time while updating a large number of similar rules.

When we talk about Oject Group search , it will be used for:-

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

Now , the performance impact will be negated with the Transactional commit enabled.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Which ASA code are you using ? Also , how many connections do you normally have on the ASA device and also the output of this command:-

show access-list | in elements

If the number of ACL are very large , then the new connections might see some issues with the ACL lookup but is normally is not seen and the traffic is matched correctly.

I would also recommend , Transactional commit model:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_rules.html#pgfId-1270273

Available for ASA 9.1.5 and above.

Thanks and Regards,

Vibhor Amrodia

Thank you Vibhor, this looks great.

Is transactional commit model, when enabled, able to compliment object-group-search? Or are they competing alternatives?

I'm speaking more generally as I've got models and software across the spectrum, with max concurrent connections anywhere between 5 and 500,000. One thing they have in common is a very large ACL which causes packets to be dropped during modification.

Hi,

Sorry , hit the endorse button by mistake :)

Transactional commit is mainly used for these reasons:-

  • Preventing packet drops while compiling large rules during high traffic rates.
  • Reducing rule compilation time while updating a large number of similar rules.

When we talk about Oject Group search , it will be used for:-

You can reduce the memory required to search access rules by enabling object group search, but this is at the expense rule of lookup performance. When enabled, object group search does not expand ACLs that use network objects in the ASP table, but instead searches access rules for matches based on those group definitions. You will see this in the show access-list output.

Now , the performance impact will be negated with the Transactional commit enabled.

Thanks and Regards,

Vibhor Amrodia

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: