We are using IronPort WSA S670 appliance running software version 7.1.4-053. We have around 25K users connecting through the proxy.
We are experiencing slowness frequently and the proxy goes in to unresponsive mode at times. We strongly suspect that the proxy is overloaded.
However, we do not have a proper case supported with data to prove to the senior management that the proxy is overloaded. I checked the capacity logs and status logs, but they do not provide proper data.
Please let me know how can we check if the proxy is operatin properly.
Based on the information you provided regarding users and having a single S670, it is likley you are overloading the appliance. Unfortunately in the 7.1.x software there is no easy way for you to determine the process utilization. I can provide the steps you can use to determine the prox process utilization and see if you are overloading the appliance if you are able to upgrade to 7.5.x software. Otherwise you will need to open a support case so that we can investigate the backend of the appliance to pull the necessary data.
Just on the capacity side, you could have had assistance from your Cisco partner's channel to assist with the measuring parameters to support planning the WSA deployment. Unfortunately, measuring the WSA usage based on number of users may not help much as far as I know, but the number of connections will do.
Feel free to reach out to your Cisco contacts for better deployment planning or open a support case with Cisco TAC.
It appears that we will need to go for a version upgrade.
While I go through the 7.5.X releast notes, could you please let me know if there is any significant change in the latest version. Any known issues or changes in the configurations? Please let me know.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...