[c-nsp] IPS and HTTPS Performance

Crist Clark Crist.Clark at globalstar.com
Fri Dec 29 14:28:13 EST 2006


We're seeing some weird performance issues with HTTPS
connections when we have IPS enabled on our router.
We're trying to figure out why it is happening and what
IPS features may be the cause.

It's a 2821 running 12.4(12).

What the users see is that HTTPS sites, mostly bank
sites, are r...e...a...l...l...y   s...l...o...w.

When we get in and do a packet capture we see something
interesting. For example, on a recent test to a bank
site, a capture at the internal interface of our
firewall got 295 packets. A capture at the client PC saw
242 packets. The only hop between the firewall and the
PC is the router with IPS enabled.

With the IPS disabled, we saw no dropped packets and the
response, from the user perspective, was quick.

Before getting all gory and posting packet captures,
anyone seen this before, sound familiar, have some
hints? A segment ordering issue? Why only (that we've
noticed) HTTPS? It does work eventually, so the
retransmits do get through, it doesn't seem like it
could be something in the application or IP layer.

B¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster at globalstar.com 



More information about the cisco-nsp mailing list