ACE performance loss when http inspection enabled

Greg Ferro · ‎11-25-2008

I have an ACE module where we are using HTTP inspection to add security using HTTP inspection. This is the current configuration for inspection is shown below.

When this configuration is enabled in the service policy, then web performance slows by 100%, that is, it takes twice as long for pages to load. The home page is not very big (less than 1MB and takes only 45 HTTP requests).

Anyone have any pointers on the reason for the delay ?

class-map type http inspect match-any HTTP_INSPECT_L7CLASS

2 match port-misuse im

3 match port-misuse p2p

4 match port-misuse tunneling

5 match transfer-encoding identity

6 match request-method ext copy

7 match request-method ext edit

8 match request-method ext getattr

9 match request-method ext getattrname

10 match request-method ext getprops

11 match request-method ext index

12 match request-method ext lock

13 match request-method ext mkdir

14 match request-method ext move

15 match request-method ext revadd

16 match request-method ext revlabel

17 match request-method ext revlog

18 match request-method ext revnum

19 match request-method ext save

20 match request-method ext setattr

21 match request-method ext startrev

22 match request-method ext stoprev

23 match request-method ext unedit

24 match request-method ext unlock

25 match request-method rfc delete

26 match request-method rfc trace

class-map type http inspect match-any HTTP_INSPECT_L7CLASS_2

2 match request-method rfc get

3 match request-method rfc head

4 match request-method rfc post

5 match request-method rfc put

6 match request-method rfc options

7 match request-method rfc connect

policy-map type inspect http all-match http-inspect

description standard http inspection policy

class HTTP_INSPECT_L7CLASS

reset log

class class-default

permit

policy-map type inspect http all-match http-inspect-2

description standard http inspection policy

class HTTP_INSPECT_L7CLASS_2

permit

class class-default

reset log

policy-map type loadbalance first-match APACHE_80_sfarm

class class-default

sticky-serverfarm APACHE-GROUP

policy-map multi-match 3.co.uk_web_vip

class APACHE_92.41.252.3_PORT_443

loadbalance vip inservice

loadbalance policy APACHE_443_sfarm

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 17 vlan 570

class APACHE_PORT_80

loadbalance vip inservice

loadbalance policy APACHE_80_sfarm

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 17 vlan 570

inspect http policy http-inspect-2

litrenta · ‎11-25-2008

Turning on inspection will drop performance pretty dramatically. For example ACE module doing just L4 load balancing is rated at 348K CPS, turn on inspection and that number drops to around 40K, add L7 load balancing and it goes even lower.

Greg Ferro · ‎11-25-2008

Thanks for your reply, in this case the ace has no load, just a test configuration with less than a meg of test load.

Is doubling latency expected behaviour when enabling inspection ?

litrenta · ‎11-25-2008

I would't necessarily expect a doubling of latency (but probably a packet capture from the ace tengig would be useful) Inspection can aggravate out of order packets so you may want to try turning off randomization as follows:

parameter-map type connection TEST

no random-sequence-number

the apply under

class APACHE_PORT_80

connection advanced-options TEST

Greg Ferro · ‎11-25-2008

Given that the Ace is a second security layer after a fwsm, would it be possible the randomisatopn (or some other feature ) being performed twice is a possible cause ?