being hit by high volume of fragmented udp packets
(around 80+ Mbps)
cpu usage overing around 88%
traffic is being dropped by rule
about 10 Mbps is legit traffic
The firewall is holding it's own but I was wondering if anyone has any suggestions on some added streamlining that can be done while other avenues are looked at for a more permanent approach. (I'm already working other ways such as ISP, etc.)
Currently all unneeded fixups are off, logging is scaled back, interfaces are all 100/full.
I've seen these things push more traffic than this with less impact on the cpu but this is mostly small, fragmented packets. I'm aware that we are already approaching fastE limits so I'm not really looking to boost much more throughput, simply wondering if I can take some strain off the cpu.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...