FMCv performance

hoffa2000 · ‎10-04-2018

Greetings

I'm trying to understand why our FMCv is so slow to operate. I've had a TAC on the issue but the technician wasn't very straight wether or not I have a hardware design issue or if there is something that needs to be optimized on the FMC. So I'd like to ask the community for input

I'm running the FMCv on VMware 6.5, I'm not a VMware guy but I'm told we have a decent hardware cluster and fast disks (non SSD) using ISCSI. The FMCv is assigned 8 CPU cores and 32GB RAM, we have 12 Firepower devices connected and not particularly heavy throughput.

The top command on the FMCv is as the attached picture, this is when I select Connections - Events which takes 30+ seconds to load. Is this normal? I don't know. To conduct an event search where you move in and out from the search function can take up to 10 minutes.

I'm at a loss where to look. Should I push the VMware team for SSD storage? Should I request funding for a hardware FMC? Or is this expected when running 12 devices?

Regards

Fredrik

Marvin Rhoads · ‎10-04-2018

FMCv is always slow. It doesn't matter whether your managed devices are one or many. I've not used the big hardware appliances (e.g. FMC 4500) but even the FMC 1000 and 1500 are slow in my experience.

I think it has more to do with the underlying multiple databases it uses than any hardware (virtual or otherwise).

hoffa2000 · ‎10-04-2018

Hi Mr Rhoads

I was sort of hoping you would answer :)

But I'm sorry, this is just awful. As I understand Cisco is pushing toward unifying the ASA-Firepower track, at least I have been approached by Cisco representatives with that suggestion since the majority of my devices are ASAs with Firepower (NGIPS). I hove told them I would love to handle all my network security through the FMC and skip ASDM and what not but the GUI performance is an absolute showstopper for me. And if the troubles are due to some deep level architectural shortcoming rather that hardware performance I guess any improvement is far away.

Regards

Fredrik

Marvin Rhoads · ‎10-05-2018

Well they have improved it somewhat over the years but as of 6.2.3.5 it is still pretty bad in my opinion.

You may talk to them about participating in the beta for CDO managing Firepower modules and FTD devices. It doesn't have feature parity with FMC but for some shops that may be a good thing. :)

hoffa2000 · ‎12-09-2018

Hi again

I got word 6.3 of the Firepower platform was live and I jumped over the release notes with hopes of finding anything that might give me some relief but no, not a word regarding GUI speed or database architecture. Maybe that's to be expected in a "mere" jump from 6.2.x to 6.3 but then again, I can't be the only one having usability issues with the vFMC?

Regards

/Fredrik

phil.hydea · ‎12-09-2018

Hi there,

As already pointed out the FMCv/vFMC isn't particularly fast compared with hardware versions. Noted within your TOP command output, the memory usage is reaching capacity. Perhaps provision 48GB to the VM... although by nature of database processes, they just consume and consume memory.

How many host/user objects are consumed currently? (check Licensing > Classic Licensing)

Have you looked at the ESXi's performance log charts?

v6.3 by nature doesn't introduce any significant performance improvements, infact there are more selectable options.