cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
5
Replies

CBAC perf on 2821

falain
Level 1
Level 1

I am migrating from pix to C2821/IosFW

2821 should assume Nat/cbac for www/ftp access (>1000 users), VPN gateway (100 spokes),PPPoE/L2tp NAS (100 users) and Websense url filtering.

When all was moved, I had so much degraded delays that I had to fallback to pix for www users.

I'm trying to get some explanations, because 2821 CPU was only 20-30% loaded and mem available.

Some packets are sometimes dropped ie

%FW-6-DROP_PKT: Dropping tcp pkt x.y.z.t:1332 => 217.146.176.106:80

For Vpdn users, I had to change Tcp-Mss to 1420. On Pix, I never had to do and it changes tcp-mss to 1380 automatically.

I am using IP CEF on outside intf and it seems to work, despite the fact that Cisco's doc says CBAC can only be fast or process switched

So is there any benchmark or optimization available ?

Can give you more details if necessary

5 Replies 5

bstremp
Level 2
Level 2

Thanks for your help

I know this document but it does not help me on troubleshooting performance on 2821 nor it gives explanation on CBAC debug messages.

I would like also a benchmark comapring Pix/ASA and Ios/Cbac for 1200 www users.

rculling
Level 1
Level 1

Did you ever get a resolution to this issue? I am having the same issue with the websense url filtering on a 2811, but with far less users and tunnels.

Thanks Rich

Actually no

I tried again to move my numerous http users and I observed the same degraded response times again.

I tried with and without Websense Urlfilter, but it's the same.

Since I will add a 2nd Internet access on my backup site (also a 2821), next step will be to move VPN gateway there to see if VPNs impacts CBAC on outside interface.

Thing is strange because no correlation between CPU or memory usage and responses times.

I guess :

- it's a software bug or lack of optimization (border effect ?)

- code is executed in process rather than in fast or CEF switching, so it is more sensitive to numerous www users;

- I think that Cisco invests more in ASA optimization than in IOSFW.

For example, ip inspect pptp needs a 2nd line ip inspect gre (and it doesnt work)

and on pix it needs only 'fixup protocol pptp'

Tell me about your issues

Alain

We have been fighting this issue for a few weeks. This site has about 200 users, one site-to-site vpn, dynamic client vpn, CBAC, NAT, 3 interface route setup with DMZ, and of course Websense intergration. It appears to much better with the websense intergation removed, but not 100%. We have CBAC on the inside and DMZ interfaces, ACL's on all three, Have tried temporarily removing CBAC and ACL on the inside interface. We also have other sites that are using a 2811 in a simular configuration without Websense and they are not conplaining about this issue, but much smaller environment than yours, and one site doesn't have any VPN tunnels. Also turned IP CEF off, we hav seen issues in the past with IP CEF. Although with 12.4 code CBAC uses FAB which is suppose to be faster. I want to update the code to the latest, we are running 12.4(3), saw issues with NAT and CBAC in the release notes, but nothing directly pertaining to the issue. If we can't get a resolution to this issue will have to put the PIX back in for WEB traffic. Downloads do not seem to be effected. So I am thinking it is still and issue with websense intergration and possibily stateful inspection with CBAC which is intergrated in the code with the PIX, and runs on top of the IOS. Due to the performance on other sites without websense and CBAC, I find it hard to believe that a 10mb link to the ISP can slow down a 2811. This router is not working hard at all. Also the are not guarenteed 10mb out of the ISP. Some of the suggestions form TAC have been a little off base, they added tcp adjust-mss on the inside interface 100MB full, which had no effect on the issue. I am going to open an other TAC case and have it upgraded to the next levels. The customer states that the PIX had faster response on a T1 than the 2811 on a 10mb pipe to the ISP.

Thank You

Rich

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco