SSL decryption enabled and Packet Descriptor

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL decryption enabled and Packet Descriptor

Cyber Elite
Cyber Elite

Did SSL decryption on PA 5220 running 8.1.9.

 

When i run below command 

 

show running resource-monitor hour last 3

Resource monitoring sampling data (per hour):

CPU load (%) during last 3 hours:
core 0 1 2 3 4 5 6 7
avg max avg max avg max avg max avg max avg max avg max avg max
* * 37 71 33 70 32 87 34 70 34 70 35 70 32 70
* * 35 58 32 49 30 50 32 51 33 53 33 51 30 49
* * 27 75 23 40 22 58 23 43 25 45 25 42 21 47
core 8 9 10 11 12 13 14 15
avg max avg max avg max avg max avg max avg max avg max avg max
32 70 31 79 34 71 36 72 33 70 33 70 35 96 32 70
30 50 29 47 32 52 34 52 32 50 32 48 34 53 30 53
21 40 21 38 24 43 27 46 23 40 24 38 25 41 22 40
core 16 17 18 19 20 21 22 23
avg max avg max avg max avg max avg max avg max avg max avg max
32 71 31 70 36 91 34 70 33 70 31 70 32 70 34 70
30 50 29 50 34 52 33 50 31 51 29 46 31 50 32 52
22 39 21 41 25 44 25 38 23 40 21 41 22 43 24 40
core 24 25 26 27 28 29 30 31
avg max avg max avg max avg max avg max avg max avg max avg max
34 70 33 70 34 70 31 70 30 70 31 70 33 70 32 70
32 50 32 50 32 52 29 47 28 48 29 49 31 50 30 48
23 62 24 41 24 41 22 36 20 42 22 39 24 41 23 61
core 32 33 34 35 36 37 38 39
avg max avg max avg max avg max avg max avg max avg max avg max
32 78 31 70 33 70 34 71 33 70 33 71 34 70 39 71
30 50 29 47 31 52 33 49 31 50 32 49 32 51 38 54
22 39 22 63 24 39 25 40 22 46 24 40 24 40 30 76
core 40 41 42 43 44 45 46 47
avg max avg max avg max avg max avg max avg max avg max avg max
* * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * *

Resource utilization (%) during last 3 hours:
session (average):
3 2 2
session (maximum):
3 3 2
packet buffer (average):
0 0 0
packet buffer (maximum):
80 2 1
packet descriptor (average):
1 0 0
packet descriptor (maximum):
4 1 2
packet descriptor (on-chip) (average):
4 4 3
packet descriptor (on-chip) (maximum):
100 33 29

 

Are the numbers packet decriptor touching 100 is good???????????????

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

in short: no

the packet descriptors are packet caching (somewhat like L2 memory)

did this only appear after enabling ssl decryption?

the good thing is that your average is very low and you only see 1 instance of 100 (packetloss will start to occur at around 90%) so this may have been a one-time occurence

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Community Team Member

Hi @MP18 ,

 

Your average values are low so you are reaching the high numbers rarely.

That said, when you do reach those numbers the FW will start to drop packets.

 

Cheers

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

in short: no

the packet descriptors are packet caching (somewhat like L2 memory)

did this only appear after enabling ssl decryption?

the good thing is that your average is very low and you only see 1 instance of 100 (packetloss will start to occur at around 90%) so this may have been a one-time occurence

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Community Team Member

Hi @MP18 ,

 

Your average values are low so you are reaching the high numbers rarely.

That said, when you do reach those numbers the FW will start to drop packets.

 

Cheers

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks for confirming that.

Yes it only occur when I enable ssl enable for one LAN site.

Right numbers to look for is the average value of packet descriptors right?

MP

Help the community: Like helpful comments and mark solutions.

Yes, But sometimes we need to consider packet descriptor (on-chip) (maximum) as well.

  • 2 accepted solutions
  • 3890 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!