Impact of enabling sysopt np completion-unit on FWSM

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Impact of enabling sysopt np completion-unit on FWSM

Post by Guest » Thu May 15, 2008 4:20 pm

just one question. enabling sysopt np completion-unit , will it impact my fwsm. I have around 7 contexts and i am getting lots of out of order packets and slowness while transfering huge files. Can anyone help. Is it recommended.

Guest

Re:Impact of enabling sysopt np completion-unit on FWSM

Post by Guest » Thu May 15, 2008 4:20 pm

"sysopt np completion-unit" will not impact the FWSM.It also fixed an FWSM defect that used to reorder TCP packets under certain conditions and could cause slowness. I hope it helps. PK

Guest

Re:Impact of enabling sysopt np completion-unit on FWSM

Post by Guest » Thu May 15, 2008 4:55 pm

The command only help for tcp traffic not for udp traffic. Here is the defect ID for the FWSM out of order packet issue: http://tools.cisco.com/Support/BugToolK ... CSCsl10667 TCP out of order issue - that causes latency issues.  FWSM 3.1.12 and 3.2.5 and above code has a sysopt command "sysopt np completion-unit" that needs to be configured. Here is the link to the bug:  - To enable completion unit on the NP complex, which will ensure that  packets processed by FWSM don get reordered while traversing the firewall:                  [no] sysopt np completion-unit  The
o form of the command disable the completion unit and therefore  reordering may occur as packets get processed by the FWSM.  - The command is available in single and multiple mode. In multiple mode, the command must be executed in admin context and it will turn on/off the completion unit globally for the entire system.  - The command can be saved in the config using wr mem and it is persistent across reloads.  - The command is synced from active to standby as part of the config sync. Command reference link: http://www.cisco.com/en/US/docs/securit ... rence/s8.h tml#wp2759328 -KS

Guest

Re:Impact of enabling sysopt np completion-unit on FWSM

Post by Guest » Thu May 15, 2008 5:50 pm

This Document has a section which explains how np completion impacts on fwsm and some other points to take into consideration when working with performance and reordering issues on the FWSM:https://supportforums.cisco.com/docs/DOC-12668 Regards,Fadi.

Guest

Re:Impact of enabling sysopt np completion-unit on FWSM

Post by Guest » Thu May 15, 2008 6:04 pm

I have done below configs and the transfer rate has increased about 3 times. thanks for the document. And no outages during the change. Optimized FWSM Configuration• Interface MTU set to 1500 bytes• TCP MSS adjusted to 1460 bytes• TCP Windows Scale and SACK permitted• TCP Sequence Number Randomization disabled• NP Completion Unit enabled

Post Reply