Zone Based Firewall Performance issues on ASR 1004

pavel.jenicek · ‎09-12-2011

Hi all,

we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.

Symptoms:

- sending small packets from inside zone to outside zone, for example UDP packets without payload

- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)

- CPU load is about 1% (yes one!) to 2% all time !! (weird)

- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)

- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)

- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)

Config:

- two inside interfaces

- one outside interfaces

ZBF:

Policy Map type inspect IN2OUT

Class I2O-DENY

Drop log

Class I2O-SSH

Inspect TCP12H

Class I2O-PERMIT

Inspect NORMAL

Class class-default

Drop log

Policy Map type inspect OUT2IN

Class O2I-FTP

Inspect

Class O2I-H323

Inspect

Class O2I-DNS

Inspect

Class O2I-SSH

Inspect TCP12H

Class O2I-PERMIT

Inspect NORMAL

Class class-default

Drop

The most campus traffic to internet goes through class "I2O-PERMIT" with inspection:

show class-map ty inspect I2O-PERMIT

Class Map type inspect match-any I2O-PERMIT (id 1)

Match protocol ftp

Match protocol sip

Match protocol icmp

Match protocol tcp

Match protocol udp

Match access-group name I2O-PERMIT

show parameter-map type inspect NORMAL

parameter-map type inspect NORMAL

log dropped-packet off

audit-trail off

alert on

max-incomplete low unlimited

max-incomplete high unlimited

one-minute low unlimited

one-minute high unlimited

sessions rate low unlimited

sessions rate high unlimited

udp idle-time 30 ageout-time 30

udp halfopen idle-time 30000 ms ageout-time 30000 ms

icmp idle-time 10 ageout-time 10

dns-timeout 5

tcp idle-time 3600 ageout-time 3600

tcp finwait-time 5 ageout-time 5

tcp synwait-time 30 ageout-time 30

tcp max-incomplete host unlimited block-time 0

sessions maximum unlimited

gtp permit error off

gtp request-queue 40000

gtp tunnel-limit 40000

gtp gsn timeout 30

gtp pdp-context timeout 30

gtp request-queue timeout 60

gtp signaling timeout 30

gtp tunnel timeout 60

According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance (and our box can kill only 150.000 pps)

Any ideas what could be worng?

Thank you for your suggestions.

Regards

Pavel

js · ‎09-29-2011

Hi Pavel,

Any news yet on this problem? Or even better, a solution? I'm having the exact same thing. Firewall enalabled = no performance...

Thanks for your update.

KR,

Jan

pavel.jenicek · ‎09-29-2011

Hi Jan,

unfortunately no solution yet :-/

I hope some cisco guy can help?

Regards,

Pavel

HummusChipsSalat · ‎08-29-2012

Hi Pavel

anything new since this post ?

did you manage getting over 150000 ?

pavel.jenicek · ‎08-29-2012

Hi there,

no, there are no news, we used the workaround - acl denying all packets with destination port 0.

Pavel

pavel.jenicek · ‎08-29-2012

Ok, I forgot to say, that the problem was caused by malicious trafiic flowing from inside to outside - small UDP packets with destination port 0. Maybe it was some virus or worm ...

Pavel