[c-nsp] asa csc 10 performance ...

Garry gkg at gmx.de
Tue May 18 08:44:08 EDT 2010


... or rather lack thereof ...
We have several customers running 5510 w/ CSC 10 ... most of them only
use them on rather slow lines, like 2-6M aDSL or 2-4M sDSL ... another
one has a CSC20, running on our backbone w/ 100M ethernet uplink, also
without any noticeable problems ...
One customer though has a 34M E3 link, with very decent performance
(downloads are very near the theoretical speed when going directly
through without CSC scanning).
Anyway, when the CSC scanning is activated, delays for html access are
pretty sh at tty ... whereas a page with a dozen or two images may load
within a second or two regularly, with the CSC scan this slows down to
15 seconds or more ...
I've set up another 5510 w/CSC10, using mostly default settings for the
CSC policy rules, moving everything through the default policy (DNS
etc.), and a seperate rule for HTML/FTP/SMTP traffic ... even with low
utilization (<1Mbit/s throughput on the FW at the time of initial
loading), page loads slow down as our customer also experiences ...
With the CSC10 being sold as suitable for up to 250 (?) users, I don't
see how a single user's access can be this taxing on the CPU that it
causes such delays ... I've tried this with both 6.2.1599 as well as the
current 6.3 version of the CSC software. Tried with both web site
classification on and off.
It seems that with the scanning enabled, access that usually happens
more or less in parallel by the browser, whereas way more sequential
when CSC scan is enabled ...

With the rather limited amount of configuration options (as far as
performance tuning goes) in the ASDM interface, I don't think I should
have configured anything wrong ... I am open to suggestions though ;)
Anybody else came across this problem?

Tnx, -gg


More information about the cisco-nsp mailing list