We've just installed a nice new 1941W router with advance security and enabled the Trendmicro IOS content filtering as a replacement for surfcontrol.
We only have a couple of entries within the black list along with the desired categories but as soon as the content filter policy is enabled internet browsing slows down by some margin sometimes unusable, I understand this will causes some overhead but not by this much even the routers CPU and memory usage report is at minimum.
Does anyone have any suggestions on how to improve web browsing while content filtering is enabled? I was think maybe something to do with the trps.trendmicro.com url filter address which I believe is in the US (we're in the UK) does Trendmicro have a UK server address?
I’ve pasted the content filter config below.
I would be most appreciated with any suggestions
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/275/308 ms
parameter-map type urlfpolicy trend cptrendparacatdeny0
block-page message "The website you have accessed is blocked as per DH web policy"
parameter-map type urlf-glob cplocclassurlfgloburlblock0
Please have a look at "sh policy-map type inspect zone-pair urlfilter" and check the response time from the server. Depedning where you are and load you might see some slowness due to slow server response sometimes. If response times are slow I would suggest finding the 2-3 ip addresses that are used for server. trps.trendmicro.com and hard code the host entry on the router for the ip address that has the best response time.
This should be DNS load balanced to your closest server. Try pinging 126.96.36.199 from your router to see if the RTT is lower.
What you really should be interested in is the RTT of the application, not of just ICMP. This can come out to be different because of server load, etc. In other words it's possible for the server application that provides this service to be completely down. Your URLFiltering requests will go unasnwered, but you'll still be able to ping the IP address...the box is still up but the service is down.
This is what I suggest you do. Try pointing to each one of those IP addresses manually in a trend-global parameter-map and watching the RTT to see if one is noticeably better than the other. To do this, create a parameter-map exactly like this:
! can be whatever you'd like
paramter-map type trend-global
server [188.8.131.52 | 184.108.40.206]
After you've chosen one, let it run for about a minute. Then check the output of:
"show policy-map type inspect zone-pair urlfilter | b Trend URL"
You should see something like this:
Trend URL Filtering is ENABLED Trend server : 220.127.116.11(port: 80) Current requests count: 0 Current packet buffer count(in use): 0 Maxever request count: 0 Maxever packet buffer count: 0 Total cache hit count: 0 Total requests sent to URL Filter Server Total responses received from URL Filter Server Total error responses received from URL Filter Server Total requests allowed: 0 Total requests blocked: 0 1min/5min Avg Round trip time to URLF Server: 0/0 millisecs 1min/5min Minimum round trip time to URLF server: 0/0 millisecs 1min/5min Maximum round trip time to URLF server: 0/0 millisecs Last req round trip time to URLF Server: 0 millisecs
(mine isn't enabled obviously)
Watch for the 1/5 Minute average/max/min/last RTTs. Compare one server vs the other and pick the one that's performing better.
***NOTE: These IP addresses can change from time to time and that you should configure a hostname and not hard-code a specific server. This isn't best practice and should only be done in the event that there is a notceable difference from one server to the other and DNS is putting you on the "slower" one. There are also some rare occasions where there may be a technical issue with one server or the other and bad luck has you going to the problem one - pointing to the other will keep you going until it's fixed and you can go back to the best-practice, hostname-lookup-method of choosing the server.
RTTs here in the US should average out to be below ~250ms. I can't really speak to what would be a reasonable RTT overseas or where these servers are actually located geographically...not sure.
Looking at the two addresses for trps.trendmicro.com I receive similar ping results from both servers. I've been playing around with the cache settings for the content filter policy-map and noticed that the default entry life was set to 1 hour, after removing this the default of 24 hours was used, this improved web browsing as the router was not contently talking to the trps server.
Is there a way I can remove the time life for the content filtering cache so that entries will only be removed when the cache memory limit is reached?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...