Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
0
Helpful
3
Replies

Slow throughput Ironport S370 Proxy CPU 100%

neilcouston
Level 1
Level 1

‎10-16-2014 01:35 AM

We have a cluster of 3 x Ironport S370's all running 7.7.0-753

The throughput is really poor we have a 500Mbps Internet connection which at it's peak is only getting to 120Mbps as the Ironports don't seem to be able to handle the traffic.

The Proxy CPU% is always close to 100% but the overall CPU is usually at no more than 30% at times it can take up to 60 seconds to load the initial page particularly if the site is an HTTPS site.

We have

22 Identities

62 Access policies

6 decryption Policies

Our maintainer says that having this number of Identities / policies should not be an issue but I have my doubts.

Can anyone advise as it's really become a major issue, Output from the rate and status commands are below.

 %proxy  reqs                         client    server    %bw  disk  disk
     CPU  /sec   hits blocks misses    kb/sec    kb/sec  saved   wrs   rds
 99.00   285    373   1293   1193     26484     21838   17.5   550   100
 99.00   286    209   1313   1335     28682     24532   14.5   635    80
 99.00   285    182   1323   1359     37083     33529    9.6  1351     0
100.00   231    132   1051   1113     34816     34151    1.9   355     0
 98.00   253    161   1171   1195     39668     37236    6.1  1363     0
 99.00   294    256   1225   1469     51371     43304   15.7  1117    40
 96.00   346    525   1166   1763     31882     23300   26.9  1328     0
 98.00   302    228   1258   1534     30385     25565   15.9  1302     0
 99.00   295    149   1200   1597     26253     22888   12.8   816     0
 98.00   275    199   1020   1536     35237     31443   10.8   838     0
 99.00   288    184   1131   1574     35019     26688   23.8  1433     0
 99.00   262    116   1073   1437     24744     23228    6.1  1306     0
105.00   307    292   1165   1610     24249     20236   16.6  1061     0

Status as of:                  Thu Oct 16 08:28:10 2014 GMT
Up since:                      Wed Oct 15 15:21:19 2014 GMT (17h 6m 51s)
System Resource Utilization:
  CPU                                    28.2%
  RAM                                    82.6%
  Reporting/Logging Disk                 16.0%
Transactions per Second:
  Average in last minute                   266
  Maximum in last hour                     296
  Average in last hour                     118
  Maximum since proxy restart              296
  Average since proxy restart                9
Bandwidth (Mbps):
  Average in last minute                25.461
  Maximum in last hour                  49.605
  Average in last hour                  16.400
  Maximum since proxy restart           49.605
  Average since proxy restart            1.365
Response Time (ms):
  Average in last minute                   179
  Maximum in last hour                     526
  Average in last hour                     192
  Maximum since proxy restart            17710
  Average since proxy restart             3165
Cache Hit Rate:
  Average in last minute                    16
  Maximum in last hour                      25
  Average in last hour                       7
  Maximum since proxy restart               25
  Average since proxy restart                0
Connections:
  Idle client connections                 1276
  Idle server connections                 1170
  Total client connections                1638
  Total server connections                1890

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎10-16-2014 08:38 AM

 

If I remember correctly, 7.7 was a dog... they had a bunch of performance issues, especially with adaptive scanning turned on.

Any chance you can go to 8.x?

 

0 Helpful

neilcouston
Level 1
Level 1
In response to Ken Stieers

‎10-17-2014 03:07 AM

The only update available for our units is 7.7.0 Build 761

I can't see any updates for 8.x

Also there is a BIOS update which has been done but still shows up but apparently this is normal.

I may update one unit to see if it improves the performance.

 

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee

‎10-22-2014 08:57 AM

In the release notes it states...

IMPORTANT: During testing of AsyncOS 7.7.0, Cisco observed performance changes ranging from + 
33% to - 16%, depending on the model and configuration. Performance degradation risk is limited to 
S160 & S360 models and models S370 and S660 that are running the web proxy without security 
services. If you experience performance degradation with AsyncOS 7.7.0, Cisco recommends that you 
revert to AsyncOS 7.5.x. 

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-7/Release_Notes/WSA_7-7-0_Builds_after_725_Release_Notes.pdf

0 Helpful
Customers Also Viewed These Support Documents