Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 30 subscribers
  • Views 48914 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.05.0 GA IPS set maxpkts size question

Remigio Lam

We are having some problems with a XG-430 in bridge mode, which is deployed as an IPS to replace an old Sourcefire appliance. Performance starts to go down after 200Mbps, and really goes bad when it passes 400Mbps. This is bad news for us since we currently get sustained 800Mbps and can peak to 1.4Gbps (We use 10Gbps SFPs).

We were advised to upgrade from 16.01.2 to 16.0.5.0, were told it made "IPS improvements" and also change the value of  IPS maxpkt size from 8 to 80:

Original (Default):

        stream on
        lowmem off
        maxsesbytes 0
        maxpkts 8
        mmap off
        enable_appsignatures on
        http_response_scan_limit  65535

 

to:

        stream on
        lowmem off
        maxsesbytes 0
        maxpkts 80
        mmap off
        enable_appsignatures on
        http_response_scan_limit  65535

As per some articles in this forum, I am seeing users recommending the opposite, go back to 8, and, as per the old Cyberoam documentation (is it still valid?), maxpkts value is for:

"default - pass first 8 packets of the session of each direction for application classification (total 16)"

... if am reading it correctly, doesn't this increase CPU utilization?

Any ideas, tips, recommendations, etc.? We haven't put the appliance back in-line, just want to minimize the times I have to put the appliance back in-line.

 

Thanks.

R.



This thread was automatically locked due to age.
Parents
  • 0

    No luck with the change in maxpkts, same issues. Things get better if I remove the IPS rules.

    Any idea what these messages are about?:

    Jan 24 10:23:45 (none) user.warn kernel: [352801.192587] net_ratelimit: 1953 callbacks suppressed
    Jan 24 10:23:45 (none) user.err kernel: [352801.192590] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32896
    Jan 24 10:23:45 (none) user.err kernel: [352801.192595] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32897
    Jan 24 10:23:45 (none) user.err kernel: [352801.192599] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32898
    Jan 24 10:23:45 (none) user.err kernel: [352801.192612] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32899
    Jan 24 10:23:45 (none) user.err kernel: [352801.192616] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32900
    Jan 24 10:23:45 (none) user.err kernel: [352801.192618] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32901
    Jan 24 10:23:45 (none) user.err kernel: [352801.192620] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32902
    Jan 24 10:23:45 (none) user.err kernel: [352801.192622] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32903
    Jan 24 10:23:45 (none) user.err kernel: [352801.192626] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32904
    Jan 24 10:23:45 (none) user.err kernel: [352801.192629] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32905
    Jan 24 10:24:02 (none) user.warn kernel: [352818.463049] net_ratelimit: 595 callbacks suppressed

     

    Thanks.

     

     

     

  • 0 in reply to Remigio Lam

    Remigio Lam said:
    Jan 24 10:23:45 (none) user.warn kernel: [352801.192587] net_ratelimit: 1953 callbacks suppressed

    Jan 24 10:23:45 (none) user.err kernel: [352801.192590] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32896  

    The ratemlimit is for logging I believe and is not a concern with high bandwidth. The second message maybe related to DOS prevention. You may want to disable the DOS prevention to check the capabilities and then fine tune as necessary.

Reply
  • 0 in reply to Remigio Lam

    Remigio Lam said:
    Jan 24 10:23:45 (none) user.warn kernel: [352801.192587] net_ratelimit: 1953 callbacks suppressed

    Jan 24 10:23:45 (none) user.err kernel: [352801.192590] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 32896  

    The ratemlimit is for logging I believe and is not a concern with high bandwidth. The second message maybe related to DOS prevention. You may want to disable the DOS prevention to check the capabilities and then fine tune as necessary.

Children
  • 0 in reply to Billybob

    I believe DOS protection is not enabled (unless there is another place to configure it?):

    Also, no IPS rules enabled, I set them to none, at least for now, we don't get as many "packet dropped" messages when a profile was in use.

    Thanks.

    R.

  • 0 in reply to Remigio Lam

    Yes, DOS seems to be disabled. Are your counters at zero for DOS attacks? Do you get any alerts on why a packet was dropped? Disabling all the rules will only use IPS for application categorization which in itself doesn't make sense to me when they are already doing half the categorization with WINGc.

    Seriously, this shouldn't be this hard[:@]

  • 0 in reply to Billybob

    I believe the counters for DOS attacks is 0. The XG is behind a firewall and in bridge mode, the other firewall doesn't report anything.

    No alerts when packets get dropped, when it gets bad, users complaints are the alerts :-)

    Thanks,

    R.