CSC- Performance issues

Unanswered Question
Jan 7th, 2009

Hi Everyone.

We have discovered a performance impact on the SSM-CSC module. This occured after about 1 month of service.

Some websites are now extremely slow, or not possible to access due to timeouts. Most other websites are experienced as “slower than it used to be”.

As soon as HTTP is removed from the Service -Policy-Rule on the firewall, the access to internet webbrowsing is as “fast as normal”

.

As soon as the site is included on the “Block List exeptions” configured on the CSC-SSM, most of the sites are "as fast as normal" again.

Following sites has been verified to be affected:

o Sites with Google-Analytics scripts

o Many Lotus Domino (.nsf) web sites

Does anyone has some simular experienceses and advice for fix ?

- it cant be that all slow sites must be exepted....

(i have heard that recovering the module --- now and then --- and confinuring everything again, will make it work for a while...)

Greetings

Jarle

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
david.fernandez... Mon, 03/16/2009 - 09:37

Hi,

I have the same problem in our ASA 5520 with SSM-CSC module. It has been working for 1 year and some time ago people started to complain. I now can see that CSC SSM CPU Usage is a sustained 20%, and have some 60% or even more peaks.

robertson.michael Mon, 03/16/2009 - 14:36

Hi Jarle,

You mentioned that you are having performance issues with the CSC module and you also mentioned "As soon as HTTP is removed from the Service -Policy-Rule on the firewall, the access to internet webbrowsing is as “fast as normal”".

You should not inspect traffic with both the CSC module and the HTTP inspection, as this will cause the performance issues you are noticing. This is why performance returns to normal when you disable one of the two inspection methods.

I would recommend disabling the HTTP inspection in the global service policy permanently. This is mostly doing protocol conformance checking. Let the CSC module handle all of your web inspection and you should be fine.

Also, while you're looking into this issue, it is also a good idea to upgrade your CSC module to the latest software (if you haven't already).

Hope that helps.

-Mike

Actions

This Discussion