We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Performance Tuning

  • Type: Knowledgebase
  • Date changed: 9 years ago
Solution #00005224 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

Strong hardware like a legacy phion appliance heavensgate L2000 or HP DL380 generates a undefinied high CPU load. This behavior mostly occurs if you are using Intel Gigabit interfaces and a heavy firewall throughput (e.g. 50.000 concurrent sessions, 5.000 new sessions per second).


 
Solution:

There are two reasons for this high cpu load.
 
1) The Intel Gigabit driver runs in a "intelligence" mode which send for each packet a interrupt up to the kernel.
2) Default settings in the OS, which are set to small. 

 

 

Set the following options in the box network. With this options will decrease the CPU load immediately after a reboot and you could operate with this box with full logging and statistics.

1.) Interrupt throttle rate (set as "driver option" in the network)

Set interrupt rate fixed to 10000 rather than default causing 35000+ interrupts per second. Large interrupt rates cause a high machine load and unnecessary overhead. Set this option for Intel-cards with option "InterruptThrottleRate" for each device. Always use this optimisation in conjunction with point 4.), NIC receive buffer.

 

  InterruptThrottleRate=10000,10000, ...

 

Supported modules for this parameter: e1000, e1000compaq, e1000e, igb, ixgb, ixgbe

 

 

2.) Ksoftirqd priority (set as "special need" in the network)
Set Ksoftirqd priority nice value to -19 (default 20). This avoids large latencies due to packet delivery via the ksoftirqd.

 

  renice -19 -p $(ps ax | grep softirqd | grep -v grep | awk '{print $1}')  

 


3.) Netdevice backlog (set as "special need" in the network)

The netdevice backlog specifies the number of packet processed in Softirq handler (uninterruptable) rather than in softirq daemon (interruptable). A large (3000) value will cause packet delivery to be extremely prioritized over user spaces processes which causes the box management functions to be very slow. We suggest staying on the default value of 300.

 

  echo 300 > /proc/sys/net/core/netdev_max_backlog  (suggested; default)
  echo 3000 > /proc/sys/net/core/netdev_max_backlog 
(too extreme; bad for user space)

 


4.) NIC Receive Buffers (set as "special need" in the network)

Increasing the number of receive buffer improves the performance when packet bursts occur.

The default value for the e1000 is set to 256. Increasing the value to 1024

 

  ethtool -G eth3 rx 1024    (Set Value)
  ethtool -g eth3                    (Show settings)

Results in better packet burst performance.

Note:
This is a per interface setting nad has to applied for each interface. Comment: Increasing the transmit buffer did not help.

 


5.) NOATIME mount (set as "special need" in the network)

Avoid unnecessary write access by NOT tracking file access times.


  mount / -o remount,noatime
  mount /boot -o remount,noatime
  mount /phion0 -o remount,noatime
  mount /proc -o remount,noatime

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKaHAAW