11-22-2013 01:06 AM
Hi All
What is the indicator that show the appliances is on high load or overload?What is the maximum CPU threshold allow for the appliance?
Thank you
Solved! Go to Solution.
11-26-2013 07:58 AM
We enhanced the rate command in the cli to include the Proxy CPU stats. In general terms you want to keep the proxy CPU% in my opinion between 70-80%, there is no maximum threshold, I've seen units run with 90-100% cpu but response times become problematic. While you will see spikes above 70-80% if you have sustained traffic in that range you should investigate capacity expansion or what is causing the traffic increase.
AsyncOS 7.7.5 for Web build 194
Welcome to the Cisco IronPort S000V Web Security Virtual Appliance
vwsa.foucha.int> rate
Press Ctrl-C to stop.
%proxy reqs client server %bw disk disk
CPU /sec hits blocks misses kb/sec kb/sec saved wrs rds
0.00 0 2 0 0 10 0 100.0 0 0
0.00 0 0 0 2 11 11 0.0 1 0
11-26-2013 07:58 AM
We enhanced the rate command in the cli to include the Proxy CPU stats. In general terms you want to keep the proxy CPU% in my opinion between 70-80%, there is no maximum threshold, I've seen units run with 90-100% cpu but response times become problematic. While you will see spikes above 70-80% if you have sustained traffic in that range you should investigate capacity expansion or what is causing the traffic increase.
AsyncOS 7.7.5 for Web build 194
Welcome to the Cisco IronPort S000V Web Security Virtual Appliance
vwsa.foucha.int> rate
Press Ctrl-C to stop.
%proxy reqs client server %bw disk disk
CPU /sec hits blocks misses kb/sec kb/sec saved wrs rds
0.00 0 2 0 0 10 0 100.0 0 0
0.00 0 0 0 2 11 11 0.0 1 0
12-01-2013 05:36 PM
Hi Tommy,
Thank you for your reply, my Ironport CPU have reach the 90%++ and the customer keep asking if the ironport will restart because of the high CPU running, by the way, thank you for your explaination.
12-02-2013 05:59 AM
Hitting 90%+ for a short period of time like bursting is not necessarily a cause for concern. Having sustained usage at 90%+ for hours at a time would make me consider capacity expansion. The unit should not restart simply because the CPU is running at that load, a restart of the services might occur if there is a hardware or software malfunction not simply heavy load.
12-10-2013 06:57 AM
Hi All,
I have a question relating to this thread. In general, can the amount (number) of Identities, Access Policies, Decryption Policies contribute to high CPU loading?
If so, is there some general round number to use as a guideline?
I ask this because our manager (now gone) was convinced that someone from cisco told him to keep Identies to a minumum as this could "slow" down the WSA and I was just looking for some more updated info. on the subject. I have not seen this happen as yet. We have had to run on one box for short period of time which does increase the CPU but still even only one will run under 30%.
We have a fair amount of all three categories, more Access Polices than anything, and consistently run around 10%-20% CPU.
Just to compare, we have about 15 Identities, 33 Access Policies, and 11 Decryption Policies. Anyone use a lot more?
Our environment we have 2 x S370's and 1 x M160
Thanks in advance...
KJ
12-10-2013 07:03 AM
Your manager (now gone) is/was correct. The size / number of identities, access policies and especially regex statement can have an dramatic affect on the units CPU usage. Also don't be confused with the CPU you see in the admin UI with the actual proxy CPU statistics that we are referencing. In later versions we enhanced the rate command to show the proxy cpu % which is what you should pay attention to not the overall CPU % as much. As to the number of policies etc each configuration is different and I don't believe I can say 10 -15 - 20 etc. Your mileage may vary is truly an applicable term in this case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide