MX Devices Not Living Up to Spec for Throughput

wirednot
Getting noticed

MX Devices Not Living Up to Spec for Throughput

The rated throughput on the MX 90 is 500 Mbps for firewall, 250 Mbps for advanced security. I'm using one in simple bridge mode. Despite both interfaces on the MX and the NIC on the client device under test all connecting at Gig, the MX 90 is acting as a 100 Mbps +/- 10 Mbps bottleneck. Take the 90 out, throughput goes back up to almost full gig. The WAN uplink setting is for 500 Mbps, and there are no traffic controls whatsover set. It appears that the MX just doesn't deliver what spec says it should. Any thoughts or similar experiences?

20 Replies 20
ww
Kind of a big deal
Kind of a big deal

sounds not normal. are you sure that 1 interface didnt negotiate to 100Mbit.

 

did you just noticed this and not before? or did it work before with other software versions?

PhilipDAth
Kind of a big deal
Kind of a big deal

I agree with @ww - it sounds like you have an interface operating at 100Mb/s.

 

You could also try the 14.x firmware as it has a number of performance improvements,

wirednot
Getting noticed

If I do, it's on the MX side where you can't see what's really going on. GUI says 1 Gbps for that interface, and its absolutely 1 Gig on uplink

wirednot
Getting noticed

14.x is beta- absolutely won't run beta here for fear of Cisco code culture of suck having settled in to Meraki.

Adam
Kind of a big deal

My experience has quite the opposite.  When testing with an MX64 that's rated for 200/250 I've regularly seen 300M.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
wirednot
Getting noticed

I have MX 64s, 65s, 80s, 84s, 90, 100, 250, and 400s- this is the first of seen of this, but also the first time I'm using an MX in bridge mode. Not sure if there is anything related to what I'm seeing, but it's extremely easy to show the defect condition right now.

Adam
Kind of a big deal


@wirednot wrote:

I have MX 64s, 65s, 80s, 84s, 90, 100, 250, and 400s- this is the first of seen of this, but also the first time I'm using an MX in bridge mode. Not sure if there is anything related to what I'm seeing, but it's extremely easy to show the defect condition right now.


@PhilipDAth observation seems most likely.  Most likely something upstream or your WAN port is hard coded or negotiated at 100M instead of 1G.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
wirednot
Getting noticed

Not at all. Not leaving local network, and as I mentioned you take the bridge mode MX out and the connection goes back to near gig traffic.

Adam
Kind of a big deal


@wirednot wrote:

Not at all. Not leaving local network, and as I mentioned you take the bridge mode MX out and the connection goes back to near gig traffic.


Maybe I'm not understanding something correctly but when you are in bridge mode wouldn't the gateway move off of the MX to a different device?  Where is your gateway?  Possibly L3 switch?  If the gateway is on a Layer 3 switch then the traffic shouldn't even be traversing the MX regardless of what mode it is in.  You said LAN based traffic, how are you testing the throughput, iPerf?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
wirednot
Getting noticed

Think inline L2 bridging firewall.


@Adam wrote:

@wirednot wrote:

Not at all. Not leaving local network, and as I mentioned you take the bridge mode MX out and the connection goes back to near gig traffic.


Maybe I'm not understanding something correctly but when you are in bridge mode wouldn't the gateway move off of the MX to a different device?  Where is your gateway?  Possibly L3 switch?  If the gateway is on a Layer 3 switch then the traffic shouldn't even be traversing the MX regardless of what mode it is in.  You said LAN based traffic, how are you testing the throughput, iPerf?


 

wirednot
Getting noticed

Think inline L2 bridging firewall.


@Adam wrote:

@wirednot wrote:

Not at all. Not leaving local network, and as I mentioned you take the bridge mode MX out and the connection goes back to near gig traffic.


Maybe I'm not understanding something correctly but when you are in bridge mode wouldn't the gateway move off of the MX to a different device?  Where is your gateway?  Possibly L3 switch?  If the gateway is on a Layer 3 switch then the traffic shouldn't even be traversing the MX regardless of what mode it is in.  You said LAN based traffic, how are you testing the throughput, iPerf?


 

robby_barnes
Getting noticed

I agree it sounds like something is wrong.  We've always consistently pushed all of our MX's way beyond what they are rated for and they've always handled it like champs.

wirednot
Getting noticed

This is a new topology

CJ_Ramsey
Meraki Employee
Meraki Employee

It may be worth checking the devices local status page just to make sure your Internet port didn't get defaulted to a 100Mbps Link negotiation. You can check this remotely by doing a client VPN into the MX and going to setup.meraki.com

wirednot
Getting noticed

Interesting. Could it be at 100 on local config page but show Gig in MX status GUI?

CJ_Ramsey
Meraki Employee
Meraki Employee

That would be anomalous behavior for it to be locked at 100Mbps and showing as Gig, but UI errors have happened before. Always worth checking all your bases.
wirednot
Getting noticed

Back from vacation- I did check the admin pages- there is no option to "nail" the interface to Gig- auto is only choice. For 100 and 10 you can specify duplex etc, but for Gig, auto is it. Given that the MX shows no stats or counters (which is complete BS after all of these years) and the switch side reports Gig with no errors, I have to assume that all is well at Gig between MX and switch. This is further evidenced by what follows:

 

On the advice of TAC support engineer- turned off advanced security and retested. Throughput is essentially doubled, now in the neighborhood of 225 Mbps. Still less than half of what's expected on the MX90 firewall throughput capacity. 

MRCUR
Kind of a big deal

What is the uplink speed configured as on the Traffic Shaping page in Dashboard?

MRCUR | CMNO #12
wirednot
Getting noticed

It is set to the max of 500 Mbps. Every test I throw at this (and I have deployed a lot of MXs in the last nine years) says that this MX is not living up to spec.

MRCUR
Kind of a big deal

You can always request an RMA from Support and see if they go for it. 

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels