Slow internet with IOS Content Filtering

Ben Williams · ‎11-19-2010

Dear All,

We've just installed a nice new 1941W router with advance security and enabled the Trendmicro IOS content filtering as a replacement for surfcontrol.

We only have a couple of entries within the black list along with the desired categories but as soon as the content filter policy is enabled internet browsing slows down by some margin sometimes unusable, I understand this will causes some overhead but not by this much even the routers CPU and memory usage report is at minimum.

Does anyone have any suggestions on how to improve web browsing while content filtering is enabled? I was think maybe something to do with the trps.trendmicro.com url filter address which I believe is in the US (we're in the UK) does Trendmicro have a UK server address?

I’ve pasted the content filter config below.

I would be most appreciated with any suggestions

Thanks

#ping trps.trendmicro.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.70.74.51, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 244/275/308 ms

parameter-map type urlfpolicy trend cptrendparacatdeny0

max-request 5000

max-resp-pak 1000

allow-mode on

block-page message "The website you have accessed is blocked as per DH web policy"

parameter-map type urlf-glob cplocclassurlfgloburlblock0

pattern *.ebay.*

pattern www.webproxyonline.info

parameter-map type urlf-glob cplocclassurlfgloburlallow0

pattern *.LinkedIn.*

parameter-map type urlf-glob cplocclassurlfglobkdblock0

parameter-map type trend-global global-param-map

server trps.trendmicro.com

cache-size maximum-memory 25000

cache-entry-lifetime 1

Panos Kampanakis · ‎11-19-2010

Ben,

Please have a look at "sh policy-map type inspect zone-pair urlfilter" and check the response time from the server. Depedning where you are and load you might see some slowness due to slow server response sometimes. If response times are slow I would suggest finding the 2-3 ip addresses that are used for server. trps.trendmicro.com and hard code the host entry on the router for the ip address that has the best response time.

In this thread https://supportforums.cisco.com/message/3219346#3219346 we saw a response time issue that cause HTTP slowness. I would suggest going through it real quick. It referred to Asia that had slow response time because the sever is in USA west coast.

I hope it helps.

PK

jubetz · ‎11-19-2010

Hi Ben,

Do an nslookup for trps.trendmicro.com.

Non-authoritative answer:
Name: trps.trendmicro.com
Addresses: 216.104.8.100, 150.70.74.51

This should be DNS load balanced to your closest server. Try pinging 216.104.8.100 from your router to see if the RTT is lower.

What you really should be interested in is the RTT of the application, not of just ICMP. This can come out to be different because of server load, etc. In other words it's possible for the server application that provides this service to be completely down. Your URLFiltering requests will go unasnwered, but you'll still be able to ping the IP address...the box is still up but the service is down.

This is what I suggest you do. Try pointing to each one of those IP addresses manually in a trend-global parameter-map and watching the RTT to see if one is noticeably better than the other. To do this, create a parameter-map exactly like this:

! can be whatever you'd like

paramter-map type trend-global

server [216.104.8.100 | 150.70.74.51]

!

After you've chosen one, let it run for about a minute. Then check the output of:

"show policy-map type inspect zone-pair urlfilter | b Trend URL"

You should see something like this:

Trend URL Filtering is ENABLED
Trend server : 216.104.8.100(port: 80)
Current requests count: 0
Current packet buffer count(in use): 0
Maxever request count: 0
Maxever packet buffer count: 0
Total cache hit count: 0
Total requests sent to URL Filter Server
Total responses received from URL Filter Server
Total error responses received from URL Filter Server
Total requests allowed: 0
Total requests blocked: 0
1min/5min Avg Round trip time to URLF Server: 0/0 millisecs
1min/5min Minimum round trip time to URLF server: 0/0 millisecs
1min/5min Maximum round trip time to URLF server: 0/0 millisecs
Last req round trip time to URLF Server: 0 millisecs

(mine isn't enabled obviously)

Watch for the 1/5 Minute average/max/min/last RTTs. Compare one server vs the other and pick the one that's performing better.

***NOTE: These IP addresses can change from time to time and that you should configure a hostname and not hard-code a specific server. This isn't best practice and should only be done in the event that there is a notceable difference from one server to the other and DNS is putting you on the "slower" one. There are also some rare occasions where there may be a technical issue with one server or the other and bad luck has you going to the problem one - pointing to the other will keep you going until it's fixed and you can go back to the best-practice, hostname-lookup-method of choosing the server.

RTTs here in the US should average out to be below ~250ms. I can't really speak to what would be a reasonable RTT overseas or where these servers are actually located geographically...not sure.

HTH,

-jb

jubetz · ‎11-19-2010

You the man, pk

Ben Williams · ‎11-22-2010

Thanks Guys for your messages,

Looking at the two addresses for trps.trendmicro.com I receive similar ping results from both servers. I've been playing around with the cache settings for the content filter policy-map and noticed that the default entry life was set to 1 hour, after removing this the default of 24 hours was used, this improved web browsing as the router was not contently talking to the trps server.

Is there a way I can remove the time life for the content filtering cache so that entries will only be removed when the cache memory limit is reached?

Thanks

Panos Kampanakis · ‎11-22-2010

Unfortunately you can only set it to the high possible value.

PK