07-05-2022 04:16 PM - edited 07-05-2022 04:34 PM
Multiple users have recently reported connection slowness to an APP VM that they have access to through an FTD HA Pair in our Colo DC. After running a trace from their access switch to the server that sites behind the firewall, I noticed that while going through the egress interface of the FTD alone is around 75ms on average. We do not do any heavy L7 packet inspection, just L3/L4 Security Rules, so I am a bit confused about the reason for the high latency. Is this latency time normal to see on an FTD? Is there any possible way to work to bring this time down? Thanks.
1 172.30.254.70 2 msec
172.30.254.68 2 msec
172.30.254.70 2 msec
2 172.30.254.0 2 msec
172.30.254.2 3 msec
172.30.254.0 1 msec
3 172.30.211.253 2 msec 3 msec 1 msec
4 172.30.77.10 1 msec 2 msec 1 msec
5 10.62.250.153 4 msec 4 msec 4 msec
6 10.251.5.106 [MPLS: Label 24369 Exp 0] 5 msec 5 msec 5 msec
7 10.251.15.113 4 msec 4 msec 4 msec
8 10.93.16.1 76 msec 75 msec 78 msec FTD EGRESS INTERFACE (NEXT HOP SERVER)
UPDATE: I have noticed that within FMC, the CPU0 is currently sitting around 85-90%. Could this be a legit reason for the high latency? If so, could a possible reboot solve this? Thanks.
07-06-2022 02:05 AM
even though you not using the L7 inspection on FTD but by default if no rules are configured the default policy kicks in. what you can do is create a L7 ACP rule and put the server and user in "Trust". by doing this FTD will not do a default policy check.
07-06-2022 04:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide