09-16-2019 09:21 AM
Did SSL decryption on PA 5220 running 8.1.9.
When i run below command
show running resource-monitor hour last 3
Resource monitoring sampling data (per hour):
CPU load (%) during last 3 hours:
core 0 1 2 3 4 5 6 7
avg max avg max avg max avg max avg max avg max avg max avg max
* * 37 71 33 70 32 87 34 70 34 70 35 70 32 70
* * 35 58 32 49 30 50 32 51 33 53 33 51 30 49
* * 27 75 23 40 22 58 23 43 25 45 25 42 21 47
core 8 9 10 11 12 13 14 15
avg max avg max avg max avg max avg max avg max avg max avg max
32 70 31 79 34 71 36 72 33 70 33 70 35 96 32 70
30 50 29 47 32 52 34 52 32 50 32 48 34 53 30 53
21 40 21 38 24 43 27 46 23 40 24 38 25 41 22 40
core 16 17 18 19 20 21 22 23
avg max avg max avg max avg max avg max avg max avg max avg max
32 71 31 70 36 91 34 70 33 70 31 70 32 70 34 70
30 50 29 50 34 52 33 50 31 51 29 46 31 50 32 52
22 39 21 41 25 44 25 38 23 40 21 41 22 43 24 40
core 24 25 26 27 28 29 30 31
avg max avg max avg max avg max avg max avg max avg max avg max
34 70 33 70 34 70 31 70 30 70 31 70 33 70 32 70
32 50 32 50 32 52 29 47 28 48 29 49 31 50 30 48
23 62 24 41 24 41 22 36 20 42 22 39 24 41 23 61
core 32 33 34 35 36 37 38 39
avg max avg max avg max avg max avg max avg max avg max avg max
32 78 31 70 33 70 34 71 33 70 33 71 34 70 39 71
30 50 29 47 31 52 33 49 31 50 32 49 32 51 38 54
22 39 22 63 24 39 25 40 22 46 24 40 24 40 30 76
core 40 41 42 43 44 45 46 47
avg max avg max avg max avg max avg max avg max avg max avg max
* * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * *
Resource utilization (%) during last 3 hours:
session (average):
3 2 2
session (maximum):
3 3 2
packet buffer (average):
0 0 0
packet buffer (maximum):
80 2 1
packet descriptor (average):
1 0 0
packet descriptor (maximum):
4 1 2
packet descriptor (on-chip) (average):
4 4 3
packet descriptor (on-chip) (maximum):
100 33 29
Are the numbers packet decriptor touching 100 is good???????????????
09-17-2019 01:25 AM - edited 09-17-2019 01:27 AM
in short: no
the packet descriptors are packet caching (somewhat like L2 memory)
did this only appear after enabling ssl decryption?
the good thing is that your average is very low and you only see 1 instance of 100 (packetloss will start to occur at around 90%) so this may have been a one-time occurence
09-17-2019 01:28 AM
Hi @MP18 ,
Your average values are low so you are reaching the high numbers rarely.
That said, when you do reach those numbers the FW will start to drop packets.
Cheers
-Kiwi.
09-17-2019 01:25 AM - edited 09-17-2019 01:27 AM
in short: no
the packet descriptors are packet caching (somewhat like L2 memory)
did this only appear after enabling ssl decryption?
the good thing is that your average is very low and you only see 1 instance of 100 (packetloss will start to occur at around 90%) so this may have been a one-time occurence
09-17-2019 01:28 AM
Hi @MP18 ,
Your average values are low so you are reaching the high numbers rarely.
That said, when you do reach those numbers the FW will start to drop packets.
Cheers
-Kiwi.
09-17-2019 04:52 AM
Thanks for confirming that.
Yes it only occur when I enable ssl enable for one LAN site.
Right numbers to look for is the average value of packet descriptors right?
08-31-2020 07:45 AM
Yes, But sometimes we need to consider packet descriptor (on-chip) (maximum) as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
