We are in process of installing the AIP-SSM20 modules in ASA5520 (Active/passive). Currently its configured in promiscuous mode /w monitoring all the outside and dmz traffic... I have also tuned various signature to troubleshoot and increase the AIP-SSM20 throughput but I am seeing below messages randomly throughout the day:
evStatus: eventId=1218593040808071564 vendor=Cisco
time: Sep 03, 2008 20:19:16 UTC offset=-240 timeZone=GMT-05:00
description: GigabitEthernet0/1 : Missed-packet threshold was exceeded. 3% of packets were missed.
I was wondering if anyone had ran into this issue...
I am running 6.1.1E2 and ASA OS 7.2.1...
I appreciate any help
Thank in a advance
This is the throughput of the AIP-SSM20 on the 5520 as per Cicso:
375 (with AIP SSM-20)
You can monitor the ammount of data being sent to the IPS via snmp etc. and double check this.
Maybe you need to re-think your capture ACL used to send traffic to the IPS module.
Thanks Farrukh for quick response.
Do you know any snmp monitoring tool that I can use to monitor the amount of data being sent to the IPS.
I don't think we are getting 375M throughput but I can't say by sure.
MRTG will work, as would any SNMP pooler.
For somthing qucik, you can use the GUI in the IDM, or pull the stats out of the CLI using the "show status analysis" and "show status interface" commands. A little math is involved in using the CLI show interface command to determine bandwidth numbers: request the stats 60 seconds apart, subtract the first B/s number from the second, devide by 60 (seconds) and multiply by 8 (Bytes to Bits)
I'm doubtfull that the orginal poster is running his sensor anywhere near the "offical" throughtput limit.
Cisco's IPS throughput numbers are fantasy.
With real world traffic we begin to see those missed packet percentage (along with 100% CPU utilization at about 1/3 of the Cisco rated throughput numbers. Keep in mind that Cisco always adds both directions of traffic together to get their whole number, so if they rate a SSM-20 module in a ASA 5520 for 375 Mb/s you can expect about 125 Mb/s or a little better than a DS-3 worth of IPS functionality. If you want to verify this at home, load up your sensor with some FTP sessions and see when your CPU hits 100% and you start getting missed packet % events.
After monitoring for few hours. I am getting the Missed packets events with MRTG showing 11M traffic on Gig0/1 interface.
evStatus: eventId=1218593040808080769 vendor=Cisco
time: Sep 05, 2008 22:05:46 UTC offset=-240 timeZone=GMT-05:00
description: GigabitEthernet0/1 : Missed-packet threshold was exceeded. 14% of packets were missed.
MRTG Graph data:
Max Average Current
In 1414.9 kB/s (3.2%) 816.5 kB/s (1.9%) 1227.9 kB/s (2.8%)
Out 1415.0 kB/s (3.2%) 816.5 kB/s (1.9%) 1227.9 kB/s (2.8%)
Looks like I am not even getting 88Mbs throughput with AIP-SSM20 module.
Thanks in a advance
Wow! That is a TERRIBLE performance number.
What is your CPU utilization?
If I take your MRTG peak values, I come up with 22.6 Mb/s of inspection traffic.
I assume you are using the stock Cisco signature settings. You can inprove your performance slightly by disabling the uselss noisy signatures (determined by performing analysis) and placing the sensor inside your firewall to reduce the event count. This typically does not make a significate imporvement. You will not be able to double your performance.
You DID keep your reciept for those sensors, right?
I was not monitoring the CPU usage when the inspection load hit 100%. But I will enable the CPU monitoring in MRTG. Also correct numbers for the MRTG peak are below:
The statistics were last updated Friday, 5 September 2008 at 23:40,
at which time 'caipssm01waynpa' had been up for 11 days, 5:35:38.
`Daily' Graph (5 Minute Average)
Max Average Current
In 11.9 MB/s (27.2%) 797.7 kB/s (1.8%) 337.2 kB/s (0.8%)
Out 11.9 MB/s (27.2%) 797.9 kB/s (1.8%) 337.2 kB/s (0.8%)
Which come up with 88Mbps. I have tried disabling few signature but no significant performance gain..
Yes, we do have the receipt for the sensors but we bought this more then six months ago..
I am wondering if anyone else ran into similar issue...
I have ASA5540 with SSM20's installed and have experienced these issues as well. The dropped packets on the int gig0/1 are definitely indicative of performance issues. Look for "total receive errors" & "total receive FIFO overruns" to also help determine if you are sending so much traffic that you are overwhelming (oversubscribing) the SSM. Cisco TAC did advise me to use ACL's to tune out any known streaming video (we have camera traffic) as well as any IPSEC (the SSM's can't do much with encrypted traffic, so might as well not send this through this inspection.) This will help some with the load, if you are running this traffic.