Re: Solaris 9 and ip filter performance issues.

This is a discussion on Re: Solaris 9 and ip filter performance issues. within the IPFilter forums, part of the System Security and Security Related category; So the morning crush is on: Currently about 12% packet loss. My shell running netstat -i can pause for almost ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: Solaris 9 and ip filter performance issues.

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 12-17-2004
Jorgen Lundman
 
Posts: n/a
Default Re: Solaris 9 and ip filter performance issues.

So the morning crush is on:

Currently about 12% packet loss. My shell running netstat -i can pause for
almost indefinite periods, but wakes up if I push return..

The switches are Cisco catalysts 2950, and don't seem to be concerned. It is
only the final hop on the internal side that starts having issues.

If it is just cheap/poor hardware that can't keep up with the load, that is
fine, put in a different nic card, or somehow setup to use two nics on the LAN
side (can one do that with ipfilter?). Or perhaps replace the entire box.

It just seemed like a 100base link shouldn't be able to take down this box of
"reasonable" hardware?





Various stats:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# netstat -i -I iprb1 1
input iprb1 output input (Total) output
packets errs packets errs colls packets errs packets errs colls
729 0 1059 0 0 1729 0 1749 3 0
569 0 810 0 0 1360 0 1366 9 0
566 0 806 0 0 1352 0 1383 10 0
632 0 797 1 0 1237 0 1289 4 0
471 0 591 1 0 1096 1 1083 5 0
685 0 1004 0 0 1631 1 1736 7 0
469 0 629 1 0 1080 0 1107 9 0
454 0 567 0 0 932 0 983 3 0
593 0 781 2 0 1282 0 1307 17 0
689 0 878 0 0 1406 1 1449 5 0
875 0 1257 0 0 1790 2 1973 9 0
620 0 880 0 0 1406 0 1471 7 0
705 0 931 0 0 1631 0 1653 10 0
657 0 852 0 0 1476 0 1529 8 0
692 0 889 0 0 1434 0 1489 8 0

There are contant errors like so, they don't seem to change (noticably) with
load. If the errors grew proportionally with heavy use that could be something?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# kstat -p iprb:1: 1
iprb:1:iprb1:align_errors 0
iprb:1:iprb1:blocked 59
iprb:1:iprb1:brdcstrcv 105133
iprb:1:iprb1:brdcstxmt 178
iprb:1:iprb1:carrier_errors 0
iprb:1:iprb1:class net
iprb:1:iprb1:collisions 0
iprb:1:iprb1:crtime 79.044499568
iprb:1:iprb1:defer_xmts 0
iprb:1:iprb1:duplex full
iprb:1:iprb1:ex_collisions 0
iprb:1:iprb1:fcs_errors 0
iprb:1:iprb1:first_collisions 0
iprb:1:iprb1:ierrors 4237
iprb:1:iprb1:ifspeed 100000000
iprb:1:iprb1:intr 14450655
iprb:1:iprb1:ipackets 16663831
iprb:1:iprb1:ipackets64 16663831
iprb:1:iprb1:macrcv_errors 0
iprb:1:iprb1:macxmt_errors 0
iprb:1:iprb1:media PHY/MII
iprb:1:iprb1:missed 0
iprb:1:iprb1:multi_collisions 0
iprb:1:iprb1:multircv 0
iprb:1:iprb1:multixmt 98
iprb:1:iprb1:norcvbuf 0
iprb:1:iprb1:noxmtbuf 0
iprb:1:iprb1:obytes 1778147987
iprb:1:iprb1:obytes64 14663049875
iprb:1:iprb1:oerrors 4924
iprb:1:iprb1:oflo 4237
iprb:1:iprb1:opackets 18016065
iprb:1:iprb1:opackets64 18016065
iprb:1:iprb1:promisc off
iprb:1:iprb1:rbytes 2750247318
iprb:1:iprb1:rbytes64 7045214614
iprb:1:iprb1:rcv_badinterp 0
iprb:1:iprb1:runt_errors 0
iprb:1:iprb1:snaptime 59088.180337263
iprb:1:iprb1:sqe_errors 0
iprb:1:iprb1:toolong_errors 0
iprb:1:iprb1:tx_late_collisions 0
iprb:1:iprb1:uflo 4924
iprb:1:iprb1:unknowns 4599
iprb:1:iprb1:xmt_badinterp 5
iprb:1:iprb1:xmtretry 0

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# ipnat -s
mapped in 16170941 out 17899623
added 583640 expired 573521
inuse 10119
rules 10

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# ipfstat
dropped packets: in 0 out 0
non-data packets: in 0 out 0
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 0 out 5642011
input packets: blocked 5325 passed 33322713 nomatch 25820346 counted 0
short 5
output packets: blocked 6838 passed 34085676 nomatch 27159146 counted 0
short 5
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 104
Result cache hits(in): 7502377 (out): 6926826
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 5840 failed: 0
Fastroute successes: 104 failures: 75
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# netstat -s -P ip

IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives =33445834 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams =23528411 ipForwProhibits = 4657
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =9826661 ipOutRequests =10773455
ipOutDiscards = 0 ipOutNoRoutes = 29
ipReasmTimeout = 60 ipReasmReqds = 6
ipReasmOKs = 5 ipReasmFails = 1
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 241 udpNoPorts = 23358
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 215


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


nat01:~# ipnat -slv|head -60
mapped in 16380487 out 18148742
added 590584 expired 581442
inuse 9142
rules 10
table 8047c70 list e40199b0
List of active MAP/Redirect filters:
map iprb0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
ifp e0bb3a9c space 16777201 nextip 0.0.0.0 pnext 0 flags 0 use 15
map iprb0 172.16.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
ifp e0bb3a9c space 16777216 nextip 0.0.0.0 pnext 0 flags 0 use 0
map iprb0 10.0.0.0/8 -> 0.0.0.0/32 proxy port ftp ftp/tcp
ifp e0bb3a9c space 4294967293 nextip 0.0.0.0 pnext 0 flags 0 use 2
map iprb0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto [1024:65535 1 64512]
ifp e0bb3a9c space 4294961742 nextip 0.0.0.0 pnext 1024 flags 13 use 555
3
map iprb0 172.16.0.0/16 -> 0.0.0.0/32 portmap auto [1024:65535 1 64512]
ifp e0bb3a9c space 4294967281 nextip 0.0.0.0 pnext 1024 flags 13 use 14
map iprb0 10.0.0.0/8 -> 0.0.0.0/32 portmap auto [1024:65535 1 64512]
ifp e0bb3a9c space 4294966800 nextip 0.0.0.0 pnext 1024 flags 13 use 495
map iprb0 192.168.0.0/16 -> 0.0.0.0/32
ifp e0bb3a9c space 16777174 nextip 0.0.0.0 pnext 0 flags 0 use 42
map iprb0 172.16.0.0/16 -> 0.0.0.0/32
ifp e0bb3a9c space 16777216 nextip 0.0.0.0 pnext 0 flags 0 use 0
map iprb0 10.0.0.0/8 -> 0.0.0.0/32
ifp e0bb3a9c space 4294967295 nextip 0.0.0.0 pnext 0 flags 0 use 0
rdr iprb1 0.0.0.0/0 port 80 -> 192.168.1.197 port 8080 tcp
e0bb361c 329920 1 36895 8047be0 3021

List of active sessions:
MAP 192.168.33.177 1379 <- -> 210.172.<ip>.<ip> 2403 [210.157.17.127 443]
age 480 use 0 sumd 0x7539/0x7539 pr 6 bkt 0 flags 1 bytes 1435 pkts 13 7
139
MAP 192.168.34.153 1694 <- -> 210.172.<ip>.<ip> 2718 [202.181.98.209 110]
age 1200 use 0 sumd 0x7451/0x7451 pr 6 bkt 0 flags 1 bytes 650 pkts 13 7
051

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# netstat -naf inet | awk '/\.80/ {print $NF}' | sort | uniq -c
2 CLOSE_WAIT
1148 ESTABLISHED
12 FIN_WAIT_1
93 FIN_WAIT_2
52 LAST_ACK
2 LISTEN
2 SYN_RCVD
2 SYN_SENT
896 TIME_WAIT
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


last pid: 6751; load averages: 1.62, 1.81, 1.62 10:22:13
38 processes: 37 sleeping, 1 on cpu
CPU states: 37.4% idle, 10.9% user, 51.7% kernel, 0.0% iowait, 0.0% swap
Memory: 2048M real, 1188M free, 706M swap in use, 2936M swap free
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# vmstat 1
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr s0 s1 s2 -- in sy cs us sy id
0 0 0 3041824 1252080 34 165 16 17 17 0 2 0 7 0 0 851 1442 363 2 12 87
0 0 0 3007084 1217088 295 1050 16 40 40 0 0 0 5 0 0 1853 5356 1723 18 49 34
0 0 0 3007080 1217160 0 0 0 16 16 0 0 0 36 1 0 2628 1597 901 3 39 58
1 0 0 3007080 1217136 69 361 63 281 281 0 0 0 18 0 0 2243 2195 1212 7 43 50
0 0 0 3007080 1217332 15 0 0 0 0 0 0 0 0 1 0 1953 2498 1025 4 40 56
0 0 0 3007080 1217344 8 0 0 20 20 0 0 0 1 0 0 1910 2182 997 7 37 56
0 0 0 3007080 1217364 6 0 8 75 75 0 0 0 10 0 0 2555 3005 1352 10 44 47
0 0 0 3007080 1217392 17 3 4 103 103 0 0 0 79 2 0 1609 4282 1812 12 60 28
0 0 0 3007080 1217480 41 0 40 28 28 0 0 0 7 0 0 2846 2599 1083 7 35 58
0 0 0 3007080 1217504 5 0 0 16 16 0 0 0 2 0 0 3426 2458 923 10 32 58
0 0 0 3007080 1217480 18 1 4 4 4 0 0 0 3 0 0 1469 3005 1133 7 50 43
0 0 0 3007080 1217480 84 1 12 44 44 0 0 0 7 0 0 2368 3829 1389 6 50 44
0 0 0 3007080 1217532 4 0 44 51 51 0 0 0 68 1 0 1817 2590 1191 9 52 39
0 0 0 3007080 1217504 4 0 4 8 8 0 0 0 3 0 0 3225 1083 526 2 29 69
0 0 0 3007080 1217504 25 3 103 0 0 0 0 0 20 0 0 3286 2963 1136 7 39 54
0 0 0 3007080 1217472 26 2 143 16 16 0 0 0 35 0 0 1891 3932 1249 9 47 44
0 0 0 3007080 1217540 9 0 0 0 0 0 0 0 0 0 0 2320 1111 526 3 29 68
0 0 0 3007080 1217540 1 0 0 69 69 0 0 0 36 1 0 2872 2131 981 5 38 58
0 0 0 3007080 1217500 6 0 20 149 149 0 0 0 7 0 0 2619 1841 956 5 33 62
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nat01:~# mpstat 1
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 85 1 38 243 115 200 15 8 8 24 881 3 5 0 92
1 79 1 24 609 461 163 13 8 9 25 562 1 18 0 80
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 5 0 394 377 182 1186 61 24 32 252 2297 14 21 1 64
1 0 1 76 1171 566 506 126 24 30 217 449 1 88 0 11
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 0 1 179 289 125 1022 85 21 47 194 3202 16 26 0 58
1 0 1 49 1130 768 514 88 23 30 191 37 0 77 0 23
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 2 2 236 268 132 1205 160 36 42 203 3530 14 26 0 60
1 2 0 15 1151 702 594 129 36 43 195 417 1 76 0 23
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 0 2 50 253 112 823 78 44 46 147 2750 13 26 1 60
1 0 0 19 921 718 517 66 46 40 146 728 2 70 1 27
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 0 0 2 262 112 485 24 13 13 55 1846 9 16 0 75
1 0 1 38 1224 1105 410 23 22 30 68 212 2 38 0 60
CPU minf mjf xcal intr ithr csw icsw migr smtx srw syscl usr sys wt idl
0 0 15 152 369 205 703 63 43 28 59 2579 17 22 9 52
1 0 19 50 1505 1240 534 27 31 36 65 806 2 52 6 40

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


nat01:~# kstat |egrep 'fail|err|name:|max'
name: cpu_stat0 class: misc
rw_rdfails 145111
rw_wrfails 1343595
name: cpu_stat1 class: misc
rw_rdfails 131393
rw_wrfails 1422651
name: iprb0 class: net
align_errors 0
carrier_errors 0
fcs_errors 0
ierrors 4947
macrcv_errors 0
macxmt_errors 0
oerrors 106051
runt_errors 0
sqe_errors 0
toolong_errors 0
name: iprb1 class: net
align_errors 0
carrier_errors 0
fcs_errors 0
ierrors 5385
macrcv_errors 0
macxmt_errors 0
oerrors 5548
runt_errors 0
sqe_errors 0
toolong_errors 0
(all other "fails", "badcalls" are 0)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-






--
Jorgen Lundman | <lundman@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:52 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0