FWSM "TCP Packet Buffer Full" - is there anything I can do??

golly_wog · ‎06-16-2011

Hi

I've an FWSM running A/A with a context in transparent mod. I've had reports of poor performance of traffic through this.

From a show asp drop I see the "TCP Packet Buffer Full" is increasing, I know on the ASA you can increase the queue-limit using a tcp-map and MPF, but it seems that this is not available on the FWSM (I guessed due to it being done in hardware?).

Does anyone know of any way that I can mitigate this?

Many thanks

Oh and before anyone suggests about ways to improve performance, I've gone over the doc to disable tcp sequence number randomization, increase mtu, enable sack etc. :-)

cheers

Anu M Chacko · ‎06-17-2011

Hi,

When you say poor performance, do you mean that the traffic pssing through the FWSM is experiencing latency? How are you measuring this?

You cannot change the queue limit of the TCP buffer in the FWSM.

Do you see performance issue with all hosts? Is the device running in multiple context?

Regards,

Anu

golly_wog · ‎06-17-2011

Hi

Thanks for taking the time to reply. As I said, I've only had reports of issues through the FWSM. A backup is taking ages to complete, it starts off fast, but then slows down. I captured traffic between the backup server and device being backed-up and noticed that some packets are being sent out a different order to what they entered the FWSM on.

I found that this is odd since I enabled "sysopt np completion-unit"

I'm running 4.1.3 and noticed that I might be hitting CSCth72685 - FWSM np completion-unit disabled after reboot however in startup config

Last night I removed and re-applied "sysopt np completion-unit" in the admin context (we're running multicontext mode), but after capturing traffic this morning I noticed that some traffic is still being sent out of the FWSM in a different order it received it.

I spoke to the Backup Admin who ran a job this morning and said it's now running better, I'll be able to confirm 100% next week if they are still having issues.

I'm concerned about the packets being sent out of order, would you know of anything else that could enable out of order packets?

With regard to the tcp buffer full messages - I guess that there's nothing that I can do? :-(

Sorry if my answers with regards to the slowness seem vague, I haven't dedicated much time to this and the BakupAdmin is useless.

Thanks again.

Anu M Chacko · ‎06-17-2011

Hi,

Did you capture traffic on the interfaces of the FWSM or did you take span captures? Please take fresh span captures to verify if the packets are still out of order.

Let me know.

Regards,

Anu

golly_wog · ‎06-17-2011

Hi

I took all the captures on the FWSM interfaces using the capture command limited to only the traffic from each host using an ACL.

cheers

Anu M Chacko · ‎06-17-2011

Hi,

I suggest you take span captures for the FWSM vlan interfaces. Here is an example on how to do this:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#config

Let me know how it goes.

Regards,

Anu

P.S. Please mark this question as resolved if it has been answered. Do rate helpful posts.

golly_wog · ‎06-17-2011

Hi Anu

Thanks again mate.

I'll grab these on the SVI,when I get back to work next week. Are you saying that the captures on the FWSM interfaces are no accurate?

Thanks

Anu M Chacko · ‎06-17-2011

Hi,

No problem. Captures on the FWSM are not reliable. It is always advisable to get span captures.

Keep me posted.

Regards,

Anu