Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 30 subscribers
  • Views 48913 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 16.05.0 GA IPS set maxpkts size question

Remigio Lam

We are having some problems with a XG-430 in bridge mode, which is deployed as an IPS to replace an old Sourcefire appliance. Performance starts to go down after 200Mbps, and really goes bad when it passes 400Mbps. This is bad news for us since we currently get sustained 800Mbps and can peak to 1.4Gbps (We use 10Gbps SFPs).

We were advised to upgrade from 16.01.2 to 16.0.5.0, were told it made "IPS improvements" and also change the value of  IPS maxpkt size from 8 to 80:

Original (Default):

        stream on
        lowmem off
        maxsesbytes 0
        maxpkts 8
        mmap off
        enable_appsignatures on
        http_response_scan_limit  65535

 

to:

        stream on
        lowmem off
        maxsesbytes 0
        maxpkts 80
        mmap off
        enable_appsignatures on
        http_response_scan_limit  65535

As per some articles in this forum, I am seeing users recommending the opposite, go back to 8, and, as per the old Cyberoam documentation (is it still valid?), maxpkts value is for:

"default - pass first 8 packets of the session of each direction for application classification (total 16)"

... if am reading it correctly, doesn't this increase CPU utilization?

Any ideas, tips, recommendations, etc.? We haven't put the appliance back in-line, just want to minimize the times I have to put the appliance back in-line.

 

Thanks.

R.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Remigio,

    Check #4 in my guide here and post pictures of the finding.

    Thanks

  • 0 in reply to sachingurung

    Hello sachingurung,

    Box is weird, on power cycle, the 10 Gbps interface doesn't come up, I have to console in, and reboot the device from the menu. As soon as the machine starts rebooting, I get the links up (It does the same thing on all the boxes we have (6 XG-430, 5 of them still off line).

    What I found using your guide (please note that the XG-430 is in bridge mode, interfaces are between one of our internal segments and a firewall:

    #4

    1. QOS not enabled (as a matter of fact, as far as I can tell, everything that could be causing the slowdown was disabled).

    2. No errors reported by ethtool -S, the only errors that we can correlate with poor performance are from syslog.log:

    an 19 23:52:27 (none) user.err kernel: [575520.844747] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227926
    Jan 19 23:52:27 (none) user.err kernel: [575520.844748] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227927
    Jan 19 23:52:27 (none) user.err kernel: [575520.844751] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227928
    Jan 19 23:52:27 (none) user.err kernel: [575520.844752] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227929
    Jan 19 23:52:27 (none) user.err kernel: [575520.844754] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227930
    Jan 19 23:52:27 (none) user.err kernel: [575520.844755] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227931

    When an IPS policy is applied to the interface, the above starts showing up and you can see our bandwidth utilization drop from i.e. 400 Mbps to 250 Mbps. When no IPS policy is enabled, we just have to wait until traffic starts getting above 600 Mbps. and then you can see the above showing up and the "user experience" degrading (i.e. pauses/buffering while watching Youtube, Netflix, etc.)

    3. Used different fiber, same issue.

    4. Used different ports/SFPs, same issue. BTW, the SFPs on the XG-430 are Sophos OEM, not third party.

    5. Connected to a switch. The firewall upstream has no problems when the XG-430 is bypassed, I have seen it peak above 1.4 Gbps., not a single packet lost.

    6. N/A., using 10 Gbps. interfaces

    7. N/A, the problem is not the firewall nor the ISP.

    #4.1

    1. DOS settings are disabled.

    2. DNS is working fine, both primary and secondary running on high end systems.

    Thanks,

    R.

Reply
  • 0 in reply to sachingurung

    Hello sachingurung,

    Box is weird, on power cycle, the 10 Gbps interface doesn't come up, I have to console in, and reboot the device from the menu. As soon as the machine starts rebooting, I get the links up (It does the same thing on all the boxes we have (6 XG-430, 5 of them still off line).

    What I found using your guide (please note that the XG-430 is in bridge mode, interfaces are between one of our internal segments and a firewall:

    #4

    1. QOS not enabled (as a matter of fact, as far as I can tell, everything that could be causing the slowdown was disabled).

    2. No errors reported by ethtool -S, the only errors that we can correlate with poor performance are from syslog.log:

    an 19 23:52:27 (none) user.err kernel: [575520.844747] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227926
    Jan 19 23:52:27 (none) user.err kernel: [575520.844748] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227927
    Jan 19 23:52:27 (none) user.err kernel: [575520.844751] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227928
    Jan 19 23:52:27 (none) user.err kernel: [575520.844752] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227929
    Jan 19 23:52:27 (none) user.err kernel: [575520.844754] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227930
    Jan 19 23:52:27 (none) user.err kernel: [575520.844755] :828:__pkt_submit::916: pkt_container:100 full at 8193 entries, dropping packets(s). Dropped: 36227931

    When an IPS policy is applied to the interface, the above starts showing up and you can see our bandwidth utilization drop from i.e. 400 Mbps to 250 Mbps. When no IPS policy is enabled, we just have to wait until traffic starts getting above 600 Mbps. and then you can see the above showing up and the "user experience" degrading (i.e. pauses/buffering while watching Youtube, Netflix, etc.)

    3. Used different fiber, same issue.

    4. Used different ports/SFPs, same issue. BTW, the SFPs on the XG-430 are Sophos OEM, not third party.

    5. Connected to a switch. The firewall upstream has no problems when the XG-430 is bypassed, I have seen it peak above 1.4 Gbps., not a single packet lost.

    6. N/A., using 10 Gbps. interfaces

    7. N/A, the problem is not the firewall nor the ISP.

    #4.1

    1. DOS settings are disabled.

    2. DNS is working fine, both primary and secondary running on high end systems.

    Thanks,

    R.

Children
No Data