01-25-2005 02:29 PM - edited 03-09-2019 10:07 AM
I forget what the actual term it's given is, but here is the scenario.
I host a few dedicated gaming servers in my datacenter. Certain games such as counter strike and call of duty lag bad because the pix firewall is scanning all the data passing through the udp ports for these servers. I have to assume thats what it is because the pix cpu usage for these game goes as high as 50%, and other games with full 32 players, cpu usage is only at 1-2%. I would like to keep with pix firewalls, since thats all i've been using for quite a while, so is there a way to solve this problem for me, or am I going to have to buy something else for those types of games? x_x
Thanks.
01-25-2005 11:58 PM
Hi,
You could be running a packet capture based on an access-list?
If you enter "show capture" on the PIX you should see the names, interfaces and access lists any captures have been configured with
You can then enter "no capture capture_name [access-list] [interface name]" to remove the capture from the PIX.
Hope this is what you need!
Thanks
PD
01-26-2005 01:47 PM
I ran the command and there are no packet captures listed.
Doesn't the pix by default look at the incoming data to determine it's type and validity? I think it's called stateful packet inspection. I think what I need to do is turn that off on a couple of my access list entries, or the whole firewall, if it's possible. These machines are on a separate LAN, so turning it off isn't really a big security risk as there is nothing of value hosted on that network.
01-26-2005 07:45 PM
hi,
just double check your fixup's to ensure no ports are overlapping with your game ports.
really a PIX should be able to handle this fine.
01-26-2005 10:32 PM
There are no fixup ports overlapping game ports. It looks like the two port ranges that need attention are udp 28960-28965 and 27000-27020. These have really high hit counts so I suspect these are the actual data ports that pass game information to the server.
I think the pix should be able to handle this as well. It has only been a problem with two games so far. Counter-Strike and Call of Duty. It seems like however these games package their data it makes the pix look them over really hard, which raises cpu usage on the pix to levels that cause lag. These types of games run very low pings, especially cs, and with even a 6 players in a cs server the cpu usage is at 14% and players get lag. I know I could switch over to something like a linksys router for each game server, but I want a good firewall that allows you to bind multiple ip's, and I already have the pix's.
01-27-2005 09:05 AM
What model PIX do you have, how many interfaces are you using on it.
Perhaps you are exceeding the throughput on your PIX as you are getting high traffic on the server you mention thus pushing up the CPU util.
There a few command line utils on the PIX that will allow you to tell the throughput and your interfaces etc.
Have a look at the following link and see what you can find out.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Rgds
PD
01-27-2005 11:10 AM
The pix is a 501. Currently there are 3 dedicated gaming servers behind it. The internet pipe is a 10mbit fiber optic connection. I have used the pdm to monitor bandwidth usage. I have never seen usage go above 3.5mbit. The pix should be able to handle that just fine. I have tested these games on my test server when no other servers were active (3-4am). And one game of cs with 6 players will lag. Bandwidth through the pix only reads about 250kbit up and down during this time but cpu usage is at 14%.Another game that I run can have a full 32 man server running over a meg up and down, and there is little to no cpu usage 0-2%. This is why I think it's got to be the stateful packet inspection causing the lag. Is there any way to turn this feature off?
01-27-2005 02:32 PM
trust me its not the SPI causing it.
what is your logging like?
i bet yhou have console logging at info!
just do a show tech and paste the config in here
01-27-2005 08:48 PM
01-30-2005 02:43 PM
hrmm
interesting - well the config looks very simple to me.
try doing a show memory and show perfmon when the CPU is high.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide