Solved: Maximum CPU throughput for Ironport S360?

izat.ismail · ‎11-22-2013

Hi All

What is the indicator that show the appliances is on high load or overload?What is the maximum CPU threshold allow for the appliance?

Thank you

Tom Foucha · ‎11-26-2013

We enhanced the rate command in the cli to include the Proxy CPU stats. In general terms you want to keep the proxy CPU% in my opinion between 70-80%, there is no maximum threshold, I've seen units run with 90-100% cpu but response times become problematic. While you will see spikes above 70-80% if you have sustained traffic in that range you should investigate capacity expansion or what is causing the traffic increase.

AsyncOS 7.7.5 for Web build 194

Welcome to the Cisco IronPort S000V Web Security Virtual Appliance

vwsa.foucha.int> rate

Press Ctrl-C to stop.

%proxy reqs client server %bw disk disk

CPU /sec hits blocks misses kb/sec kb/sec saved wrs rds

0.00 0 2 0 0 10 0 100.0 0 0

0.00 0 0 0 2 11 11 0.0 1 0

View solution in original post

Tom Foucha · ‎11-26-2013

We enhanced the rate command in the cli to include the Proxy CPU stats. In general terms you want to keep the proxy CPU% in my opinion between 70-80%, there is no maximum threshold, I've seen units run with 90-100% cpu but response times become problematic. While you will see spikes above 70-80% if you have sustained traffic in that range you should investigate capacity expansion or what is causing the traffic increase.

AsyncOS 7.7.5 for Web build 194

Welcome to the Cisco IronPort S000V Web Security Virtual Appliance

vwsa.foucha.int> rate

Press Ctrl-C to stop.

%proxy reqs client server %bw disk disk

CPU /sec hits blocks misses kb/sec kb/sec saved wrs rds

0.00 0 2 0 0 10 0 100.0 0 0

0.00 0 0 0 2 11 11 0.0 1 0

izat.ismail · ‎12-01-2013

Hi Tommy,

Thank you for your reply, my Ironport CPU have reach the 90%++ and the customer keep asking if the ironport will restart because of the high CPU running, by the way, thank you for your explaination.

Tom Foucha · ‎12-02-2013

Hitting 90%+ for a short period of time like bursting is not necessarily a cause for concern. Having sustained usage at 90%+ for hours at a time would make me consider capacity expansion. The unit should not restart simply because the CPU is running at that load, a restart of the services might occur if there is a hardware or software malfunction not simply heavy load.

kerryjudy · ‎12-10-2013

Hi All,

I have a question relating to this thread. In general, can the amount (number) of Identities, Access Policies, Decryption Policies contribute to high CPU loading?

If so, is there some general round number to use as a guideline?

I ask this because our manager (now gone) was convinced that someone from cisco told him to keep Identies to a minumum as this could "slow" down the WSA and I was just looking for some more updated info. on the subject. I have not seen this happen as yet. We have had to run on one box for short period of time which does increase the CPU but still even only one will run under 30%.

We have a fair amount of all three categories, more Access Polices than anything, and consistently run around 10%-20% CPU.

Just to compare, we have about 15 Identities, 33 Access Policies, and 11 Decryption Policies. Anyone use a lot more?

Our environment we have 2 x S370's and 1 x M160

Thanks in advance...

KJ

Tom Foucha · ‎12-10-2013

Your manager (now gone) is/was correct. The size / number of identities, access policies and especially regex statement can have an dramatic affect on the units CPU usage. Also don't be confused with the CPU you see in the admin UI with the actual proxy CPU statistics that we are referencing. In later versions we enhanced the rate command to show the proxy cpu % which is what you should pay attention to not the overall CPU % as much. As to the number of policies etc each configuration is different and I don't believe I can say 10 -15 - 20 etc. Your mileage may vary is truly an applicable term in this case.