cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2367
Views
4
Helpful
5
Replies

Zone Based Firewall Performance issues on ASR 1004

pavel.jenicek
Level 1
Level 1

Hi all,

we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.

Symptoms:

- sending small packets from inside zone to outside zone, for example UDP packets without payload

- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)

- CPU load is about 1% (yes one!) to 2% all time !! (weird)

- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)

- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)

- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)

Config:

- two inside interfaces

- one outside interfaces

ZBF:

  Policy Map type inspect IN2OUT

    Class I2O-DENY

      Drop log

    Class I2O-SSH

      Inspect TCP12H

    Class I2O-PERMIT

      Inspect NORMAL

    Class class-default

      Drop log

  Policy Map type inspect OUT2IN

    Class O2I-FTP

      Inspect

    Class O2I-H323

      Inspect

    Class O2I-DNS

      Inspect

    Class O2I-SSH

      Inspect TCP12H

    Class O2I-PERMIT

      Inspect NORMAL

    Class class-default

      Drop

The most campus traffic to internet goes through class "I2O-PERMIT" with inspection:

show class-map ty inspect I2O-PERMIT

Class Map type inspect match-any I2O-PERMIT (id 1)

   Match protocol  ftp

   Match protocol  sip

   Match protocol  icmp

   Match protocol  tcp

   Match protocol  udp

   Match access-group name  I2O-PERMIT

show parameter-map type inspect NORMAL

parameter-map type inspect NORMAL

  log dropped-packet off

  audit-trail off

  alert on

  max-incomplete low  unlimited

  max-incomplete high unlimited

  one-minute low  unlimited

  one-minute high unlimited

  sessions rate low  unlimited

  sessions rate high unlimited

  udp idle-time 30 ageout-time 30

  udp halfopen idle-time 30000 ms ageout-time 30000 ms

  icmp idle-time 10 ageout-time 10

  dns-timeout 5

  tcp idle-time 3600 ageout-time 3600

  tcp finwait-time 5 ageout-time 5

  tcp synwait-time 30 ageout-time 30

  tcp max-incomplete host unlimited block-time 0

  sessions maximum unlimited

  gtp permit error off

  gtp  request-queue 40000

  gtp  tunnel-limit 40000

  gtp  gsn timeout 30

  gtp  pdp-context timeout 30

  gtp  request-queue timeout 60

  gtp  signaling timeout 30

  gtp  tunnel timeout 60

According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance (and our box can kill only 150.000 pps)

Any ideas what could be worng?

Thank you for your suggestions.

Regards

Pavel

5 Replies 5

js
Level 1
Level 1

Hi Pavel,

Any news yet on this problem? Or even better, a solution? I'm having the exact same thing. Firewall enalabled = no performance...

Thanks for your update.

KR,

Jan

Hi Jan,

unfortunately no solution yet :-/

I hope some cisco guy can help?

Regards,

Pavel

Hi Pavel

anything new since this post ?

did you manage getting over 150000 ?

Hi there,

no, there are no news, we used the workaround - acl denying all packets with destination port 0.

Pavel

Ok, I forgot to say, that the problem was caused by malicious trafiic flowing from inside to outside - small UDP packets with destination port 0. Maybe it was some virus or worm ...

Pavel

Review Cisco Networking for a $25 gift card