• Advertisement

Impact of enabling sysopt np completion-unit on FWSM

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Impact of enabling sysopt np completion-unit on FWSM

Postby Guest » Thu May 15, 2008 3:20 pm

just one question. enabling sysopt np completion-unit , will it impact my fwsm. I have around 7 contexts and i am getting lots of out of order packets and slowness while transfering huge files. Can anyone help. Is it recommended.

Guest
 

Advertisement

Re:Impact of enabling sysopt np completion-unit on FWSM

Postby Guest » Thu May 15, 2008 3:20 pm

"sysopt np completion-unit" will not impact the FWSM.

It also fixed an FWSM defect that used to reorder TCP packets under certain conditions and could cause slowness.

 

I hope it helps.

 

PK

Guest
 

Re:Impact of enabling sysopt np completion-unit on FWSM

Postby Guest » Thu May 15, 2008 3:55 pm

The command only help for tcp traffic not for udp traffic.


Here is the defect ID for the FWSM out of order packet issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl10667

TCP out of order issue - that causes latency issues.
 
FWSM 3.1.12 and 3.2.5 and above code has a sysopt command "sysopt np completion-unit"
that needs to be configured.

Here is the link to the bug:
 
- To enable completion unit on the NP complex, which will ensure that  packets processed by FWSM don get reordered while traversing the
firewall:
 
                [no] sysopt np completion-unit
 
The
o form of the command disable the completion unit and therefore  reordering may occur as packets get processed by the FWSM.
 
- The command is available in single and multiple mode. In multiple mode, the command must be executed in admin context and it
will turn on/off the completion unit globally for the entire system.
 
- The command can be saved in the config using wr mem and it is persistent across reloads.
 
- The command is synced from active to standby as part of the config sync.

Command reference link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/s8.h tml#wp2759328

-KS

Guest
 

Re:Impact of enabling sysopt np completion-unit on FWSM

Postby Guest » Thu May 15, 2008 4:50 pm

This Document has a section which explains how np completion impacts on fwsm and some other points to take into consideration when working with performance and reordering issues on the FWSM:

https://supportforums.cisco.com/docs/DOC-12668

 

Regards,

Fadi.

Guest
 

Re:Impact of enabling sysopt np completion-unit on FWSM

Postby Guest » Thu May 15, 2008 5:04 pm

I have done below configs and the transfer rate has increased about 3 times. thanks for the document. And no outages during the change.

 

Optimized FWSM Configuration


• Interface MTU set to 1500 bytes
• TCP MSS adjusted to 1460 bytes
• TCP Windows Scale and SACK permitted
• TCP Sequence Number Randomization disabled
• NP Completion Unit enabled

Guest
 



  • Advertisement


Similar topics

Deleting asdm image from FWSM flash
Forum: Cisco Security
Author: Guest
Replies: 0

What is the impact of disabling xlate in FWSM
Forum: Cisco Security
Author: Anonymous
Replies: 8

Between FWSM and vlan1 at 6500
Forum: Cisco Security
Author: Anonymous
Replies: 0

Installing FWSM in Cisco VSS configuration
Forum: Cisco Security
Author: Anonymous
Replies: 0

ASDM 6.2(2)F for FWSM - Release Notes?
Forum: Cisco Security
Author: Anonymous
Replies: 0


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 4 guests

cron