03-15-2019 06:38 AM
Hi,
With a vFTD setup as an inline-set transparent NGIPS using the bare minimal settings we get huge spikes in ICMP latency for traffic going through it. The example in this post is just a test lab to keep it simple and prove definitely that it is the IPS policy that causes the latency. We experienced the same with a more complicated PoC setup. This example setup It is using the following settings:
-One ESX server - Is very lowly utilized.
-One vFTD 6.3 in transparent mode with 8CPUs and 8gb RAM - Nothing run through this except the tests.
-One inline pair connects to port-groups 98 and 99 on their own dedicated local vswitch.
-Two servers 2012 VMs with 1vnic are on VLAN 98 and vlan 99 respectively.
An Access Control Policy is applied to the vFTD with the only setting being the Default Action set to Access Control: Trust All Traffic. When we ping between the VMs we get a low latency (<1ms) as would be expected.
Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 0ms
Next we created a new Intrusion policy set to Connectivity over Security (so only about 500 signatures enabled) and applied that to the Default Action of the Access Control policy. After this policy is applied the latency between the two windows jumps up and is very unstable:
Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 21ms, Average = 11ms
Does anyone know if this is to be expected with the vFTD and if you would see the same issue with physical FTDs? The number of IPS signatures is very low so guess isnt the cause. Is there any other settings that could be causing this? I have also tried a tcping on port 80 and although the minimum and maximum is a lot more, the average seems quiet consistent so this could be just due to the way it treats ICMP packets.
No IPS:
100 probes sent.
100 successful, 0 failed. (0.00% fail),
Approximate trip times in milli-seconds:
Minimum = 1.091ms, Maximum = 31.7771ms, Average = 18.196ms
With IPS:
100 probes sent.
100 successful, 0 failed. (0.00% fail),
Approximate trip times in milli-seconds:
Minimum = 11.092ms, Maximum = 41.755ms, Average = 18.372ms
Would be keen to hear if anyone else has tried using vFTDs in this manner and are experiencing any problems issues due to the latency. We have put traffic through a vTFD in a small PoC environment and even with this latency we didnt notice any performance issues. However in production we have SaaS applications so worry about implementing this if it is affecting latency this way for all traffic through it.
Thanks
Solved! Go to Solution.
07-01-2019 08:39 AM
May as well answer my own question, appears this is down to bug CSCvo05052.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo05052/?rfs=iqvred
We are only using firepower as a NGIPS with the default action of using an Intrusion policy so added a rule to bypass any ICMP traffic so that it doesn't go through the inspection policy. Have had NGIPS up for past few months with production traffic going through it and no issues noticed.
03-15-2019 07:06 AM
A correction on the TCP traffic through the FTD. I was assuming the 20ms was the baseline for TCP ping between the machines. If I do a tcping between the machines direct (not through the vFTD) the latency is below 1ms. Looks looks for TCP traffic even without IPS on, any traffic going through the FTD gets 20ms latency added to it.
07-01-2019 08:39 AM
May as well answer my own question, appears this is down to bug CSCvo05052.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo05052/?rfs=iqvred
We are only using firepower as a NGIPS with the default action of using an Intrusion policy so added a rule to bypass any ICMP traffic so that it doesn't go through the inspection policy. Have had NGIPS up for past few months with production traffic going through it and no issues noticed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide