Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » 9.2.1 Performance Change (Firewall Performance)
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
I've noticed a substantial change in firewall forwarding performance since upgrading to 9.2.1. It is a VMware appliance (ESXi 6.0u2) that has been performing around 80/80 Mbps (service capacity) prior to the upgrade. Post-upgrade is around 50/50 Mbps.

I've removed the firewall rules and upgraded the VM version (4 -> 11) with no change in behavior. The only configuration change was enabling the GeoIP feature. Disabling it resulted in no change.

I'd rather not have to revert to a prior version to restore capacity.

  •  
Brian Carmichael (Kerio)

Messages: 662
Karma: 66
Send a private message to this user

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
Thanks for the quick reply.

That did not change the performance. So far, this is only an issue for traffic involving Internet Interfaces. Local/Trusted Interfaces are running around 800Mbps (Trusted to Trusted traffic), at last check.

I should also note that I am using sub-interfaces (VLANs):

~ # ethtool -k eth3 | grep generic-seg
generic-segmentation-offload: on
~ # ethtool -k eth4 | grep generic-seg
generic-segmentation-offload: on
~ # ethtool -k eth3.66 | grep generic-seg
generic-segmentation-offload: off [requested on]
~ # ethtool -k eth3.99 | grep generic-seg
generic-segmentation-offload: off [requested on]
~ # ethtool -k eth3.10 | grep generic-seg
generic-segmentation-offload: off [requested on]

eth3.66 would be the sub-interface/VLAN that is Internet facing. I only use sub-interfaces in the configuration. The physical interfaces have no assignment.

The above was captured post execution of the LSO disabling command.
  •  
Brian Carmichael (Kerio)

Messages: 662
Karma: 66
Send a private message to this user
LSO is still enabled for your physical interfaces. Disable it on all interfaces. Note that the new 9.2 version is 64 bit and consumes more memory. We recommend 4 GB. Otherwise you can disable application awareness to free up resources if you do not use this feature.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
The command you provided appears to be a global option and not interface specific. What method would I use to disable LSO on an interface basis?

I can increase RAM to 4GB (from 2GB) but Control is not reporting a memory issue (522.63MB of 1.96GB). vCenter is not reporting memory issues either.

Keep in mind, my Trusted to Trusted traffic is running near 1Gbps on the same physical interfaces. I'll re-run those tests to validate.

Thanks for staying engaged.
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
Latest:

Increasing RAM to 4GB returned normal behavior. The LSO enable/disable appears to have no effect on performance testing. I reverted using "PktOffloading=1".

Remaining question:

Why doesn't the Kerio Dashboard report this condition? If the system had reported it was RAM constrained, this would have been more easily resolved. What does the RAM utilization actually report?
  •  
silars

Messages: 428
Karma: 59
Send a private message to this user
For those debugging, you probably will see this error in your Warning log:

"[20/Feb/2017 17:10:43] RAM size is 2010MB. For better IPS performance, please, consider expansion to at least 2096MB."

I did notice this earlier, but took no note since system was reporting RAM utilization around 25%.
Previous Topic: user login
Next Topic: vpn tunneling
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon May 29 09:48:18 CEST 2017

Total time taken to generate the page: 0.00973 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.