Cisco S600V Secure Web Appliance & speedtest.net

SergiiBilan67641 · ‎11-21-2024

Hi Team, I have Cisco WSA Cisco S600V Secure Web. If you measure the speed without a proxy through the sppedtest.net resource, the user has a speed of 200Mb/sec, and if you turn on the proxy, then 8Mb/sec. Why can this be so?

amojarra · ‎11-26-2024

Hello @SergiiBilan67641

Thank you so much for reaching out

Speed test sites are not good tests in the environment with Web Proxy, the best test would be testing manual download from none CDN web servers.

kindly be advised as mentioned in the userguide: https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-14-5/user-guide/wsa-userguide-14-5.pdf

However, at times you may experience a noticeable reduction in upload or download speeds; for example, when transferring large files via proxy. To illustrate: assuming a 10-Mbps line, downloading a 100-MB file that passes through a Secure Web Appliance can be approximately seven to eight times slower than downloading the file directly from its server.

The internet speed behind any proxy server depends on your configuration complexity and the proxy network buffer limitations.

To read more about Network Buffers in WSA, I would suggest, please check "Upload/Download Speed Issues" section in the user guide.

Regarding the configuration complexity:

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance/220375-use-secure-web-appliance-best-practices.html

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

balaji.bandi · ‎11-26-2024

@amojarra, thanks for sharing views on this; upload/Download Speed Issues - I found general information (not that I have any specific)

In this situation, if the proxy is explicitly configured, the user cannot bypass it, so what is the best practice? I am happy to hear and learn here.

If we are using a carrier-grade setup, how does the Proxy handle situations like CDN? Is there any special consideration required to offload download traffic? (If we do that, the scanning of malware will be bypassed, right ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amojarra · ‎11-28-2024

HI @balaji.bandi

Hope you are doing fine.

The reason I asked to use a none-CDN site for the download speed test is due to the nature of the speed test websites, which connect to different servers, with sometimes different locations.

on the other hand, testing with host(s) with static IP address will gives us the ability to easier collect Packet Capture and trace the latency.

Regarding:

In this situation, if the proxy is explicitly configured, the user cannot bypass it, so what is the best practice? I am happy to hear and learn here.

I assume you are pointing to how we can have better download/upload performance. (Please correct me if Im wrong)

If so there are 2 options that I can think of:

[1] We need to review the WSA's mBUF cluster usage and if there is a good amount of free memory for the NIC buffer, we can change the: SENDSPACE, RECVSPACE, MBUF_CLUSTER_COUNT and/or SENDBUF_MAX , RECVBUF_MAX from CLI > networktuning command.

[2] Passthrough the traffic in the HTTPS Decryption, this will lead to least latency from the WSA side (no decryption and OfCourse no Scanning latency and so on) and if HTTP traffic we can set the Action in the Acceepolicy to Allow.

[3] Bypass the URLs from the source client (which really depends on the network design and security policies)

In general, WSA has no issue with the CDN hosted sites, we might have some difficulties in transparent deployment while the URL is in the ByPass Settings and the site is hosted on CDN (which can be addressed by TAPping the DNS traffic, WSA will learn the new IP address and will add them to its bypass table)

on the other hand, regarding the WSA's Performance monitoring, I would say it is always best to have the Accesslogs Performance parameter always configured:

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/220456-configure-performance-parameter-in-acces.html

we will have better visibility if any internal services in the WSA is introducing latency. (Like DNS, Auth, AMP, Scanners ... )

and regarding:

Is there any special consideration required to offload download traffic? (If we do that, the scanning of malware will be bypassed, right ?)

That is so true, there will be no scanning if we Passthrough or Allow the traffic

If HTTPS traffic gets Decrypt, then Access Policy will be apply, and in the AccessPolicy if the action is Monitor for the URL/WBRS, then next engines (AMP, Sopho, McAfee, WebRoot) will come in the game. this is the detailed steps (User guide: Figure 5: Applying Access Policy Action)

Please feel free to let me know if I had some misunderstanding about your message, or there are any questions or concerns.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++