CSC- Performance issues

Unanswered Question
Jan 7th, 2009
User Badges:

Hi Everyone.


We have discovered a performance impact on the SSM-CSC module. This occured after about 1 month of service.

Some websites are now extremely slow, or not possible to access due to timeouts. Most other websites are experienced as “slower than it used to be”.

As soon as HTTP is removed from the Service -Policy-Rule on the firewall, the access to internet webbrowsing is as “fast as normal”

.

As soon as the site is included on the “Block List exeptions” configured on the CSC-SSM, most of the sites are "as fast as normal" again.


Following sites has been verified to be affected:

o Sites with Google-Analytics scripts

o Many Lotus Domino (.nsf) web sites



Does anyone has some simular experienceses and advice for fix ?

- it cant be that all slow sites must be exepted....


(i have heard that recovering the module --- now and then --- and confinuring everything again, will make it work for a while...)


Greetings

Jarle

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
david.fernandez... Mon, 03/16/2009 - 09:37
User Badges:

Hi,


I have the same problem in our ASA 5520 with SSM-CSC module. It has been working for 1 year and some time ago people started to complain. I now can see that CSC SSM CPU Usage is a sustained 20%, and have some 60% or even more peaks.



robertson.michael Mon, 03/16/2009 - 14:36
User Badges:
  • Silver, 250 points or more

Hi Jarle,


You mentioned that you are having performance issues with the CSC module and you also mentioned "As soon as HTTP is removed from the Service -Policy-Rule on the firewall, the access to internet webbrowsing is as “fast as normal”".


You should not inspect traffic with both the CSC module and the HTTP inspection, as this will cause the performance issues you are noticing. This is why performance returns to normal when you disable one of the two inspection methods.


I would recommend disabling the HTTP inspection in the global service policy permanently. This is mostly doing protocol conformance checking. Let the CSC module handle all of your web inspection and you should be fine.


Also, while you're looking into this issue, it is also a good idea to upgrade your CSC module to the latest software (if you haven't already).


Hope that helps.


-Mike

Actions

This Discussion