Screencasts - Hilfsvideos
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Any one have an solution about SSIM load balance?

Created: 27 Sept. 2012 | 4 Kommentare
das Bild der Eason_Xias

My customer have an SSIM 4.7.4 system  , they collected  Firewall log with F5 load balance and three SSIM server.

But Firewall log is UDP, seems F5 not good at support UDP packet load balance , or the Firewall traffic level is too high for their SSIM system.

[root@SSIM-Collector1 /]# netstat -an | grep 105
udp   261792      0 :::10514                    :::*
udp        0      0 :::10516                    :::*
udp        0      0 :::10517                    :::*
udp        0      0 :::10518                    :::*
udp        0      0 :::10520                    :::*
udp        0      0 :::10525                    :::*
udp        0      0 :::10530                    :::*
udp        0      0 :::10531                    :::*
udp        0      0 :::10532                    :::*
udp        0      0 :::10533                    :::*
udp   262064      0 :::10550                    :::*
udp        0      0 :::10557                    :::*
udp        0      0 :::10559                    :::*
udp        0      0 :::10595                    :::*
udp        0      0 :::10596                    :::*
udp        0      0 :::10597                    :::*           

port 10514and 10550 already full load,  and can UDP have many error packet

                         
[root@SSIM-Collector1 /]# netstat -s
***********
Udp:
    1243039294 packets received
    772323 packets to unknown port received.
    2644992472 packet receive errors
    729550 packets sent

So i want you share me if you have any better solution or any other Load balance network device can support UDP packet better.

Another question is , what's the meaning about the number 262064, 261792 , i found they cannot raise more, packet per second? or queue on this port ?

Kommentare KommentareZum neuesten Kommentar

das Bild der Laurent_cs

Have you tried a load balancer device in front of the bunch of SSIM ? maybe redirecting in round robin type scenario ? (it does require a device like a cisco load balancer)

das Bild der Mike Buckleys

I think he's saying that the SSIMs are already behind a F5 load balancer and it can't load balance the udp very well, if F5 can't do it very well I wouldn't hold out much hope for the Ciscos.

I have a similar problem, top of the range ASA firewalls burst over 15k EPS and easily bring down a standalone SSIM.  Customer has 10 SSIM licenses so we're pushing for a design workshop to hammer out a proper design rather than using the PoC box in production (!!!), I'm hoping a standalone collector SSIM can cope but I don't actually know the peak EPS rate on the ASAs yet, could be they'll need a load balancer too.

das Bild der mathells

We load balance to multiple rsyslog daemons (which forward to local collector instances) using Pirahna, but going to try our new Cisco LBs. Pirahna works very well, but our network folks want us to use their new solution.  FWIW, the old Cisco load balancer worked very poorly with UDP. It treated a stream of UDP messages from a single source like a connection and forwarded all to a single host (e.g. no load balancing). WIth Pirahna, we can actually "round robin" the incoming UDP messages. We also had to tweak some Linux kernel settings to get optimal behavior.

das Bild der alvingarlics

Hi

I need help on SSIM data replication. can anyone provide me the document?