Intrusion detection and prevention

Dudleydogg
A model citizen

Intrusion detection and prevention

I have the MX100 white papers state this is a 750mb Router. although I can get speeds in the high 800's usually 850x850.  Recently all my speeds went down to 350x350 and the only way to get back to my  800 ish speeds is to completely disable "Intrusion detection and prevention"  I would like to know if anyone else has noticed recent slowdowns like maybe the Rules have changed. My MX100 should perform 650mb speeds with all Rules enabled but this is no longer the case.  I even Tested another MX100 only to see similar results.

14 Replies 14
ww
Kind of a big deal
Kind of a big deal

I have seen this at mx67/68 moving to fw 16 to 17.  From 800 > 200

Are you running 17.x firmware?

Dudleydogg
A model citizen

Running 17.6, When we got the 1gb service our speeds were fine for about a month, then I noticed the slowdown thinking it was ISP issue I had them come over and test, and it was not their side of things.  took bit of time to figure out it was the rules, although they have been in place for year only recently it slow down my network.

CarlZellers
Here to help

1. Is the mode set to Prevention or Detection?
2. Is the ruleset set to Connectivity Balanced or Security?

 

Have you tested throughput among the various ruleset settings?

Dudleydogg
A model citizen

I have tried every combination, currently, it's Prevention/Connectivity,   I thought detection / balanced would help but the only way to get anything over 350x350 is to disable it.  Even the White Paper KB says the router should do 650MB with all rules enabled. This is not the case for us here. 

harmankardon
Building a reputation

I experienced a similar issue with the MX67C after upgrading to MX 17.6: https://community.meraki.com/t5/Security-SD-WAN/WAN-throughput-on-MX67C-running-MX-17-6-firmware/m-p...

 

Some others with similar hardware/firmware setups chimed in that they were not experiencing the same issue, so it doesn't seem to affect all instances of MX 17.6.

 

I eventually gave up because WAN link is the bottleneck at all our production sites. 

southpaw001
Conversationalist

We are experiencing the same issue, except ours seems to have started with the upgrade to 16.15 (currently on 16.16.5 with no resolution)

 

When we disable Intrusion detection and prevention, speed tests show 1 - 1.2 Gbps. When it is enabled with any combination of settings, speed tests go down to around 350 x 350 Mbps. Previously IDP would have some minor effect, but we'd get in the 800 - 900 Mbps range. 

Ventsy
Here to help

Same issue with 2 x MX100 with firmware 17.8

Siggor
New here

The same problem here.

IDS/IPS on  = 364x364

IDS/IPS off = 930x930

 

This is unacceptable!

CptnCrnch
Kind of a big deal
Kind of a big deal

Really? You could try the same on Fortinet and be stoked by the sub-par deliverables. 😉

Dudleydogg
A model citizen

Just to recap on this Thread, the issue was Memory Utilization in my case only solution was to update the router to next model up.  We are up and running again.

BlakeRichardson
Kind of a big deal
Kind of a big deal

Thanks for sharing, did you have to many users to the model you we're using? 

Dudleydogg
A model citizen

No usage was low about 55 endpoints only less than 15 users. We utilize larger Routers only because our backend internet connection was 1GB. 

tomas209ca
Getting noticed

I been troubleshooting this issue because I was seeing slow speed at the core sw and MX100. With each new firmware on 16 and 17, throughput is getting less and less. From speaking with meraki support, there might be bug/issue with IDS. I have tried multiple setting on IDS and still limited from 180mbs to around 300mbs. This issue can be address by adding a layer 3 sw and limit what the FW needs to do. This also effects inter-vlan routing. Currently running IDS turned off.

southpaw001
Conversationalist

Experiencing the same issue since May, no resolution in sight. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels