Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Any one have an solution about SSIM load balance?

Created: 27 Sep 2012 | 4 comments
Eason_Xia's picture

My customer have an SSIM 4.7.4 system  , they collected  Firewall log with F5 load balance and three SSIM server.

But Firewall log is UDP, seems F5 not good at support UDP packet load balance , or the Firewall traffic level is too high for their SSIM system.

[root@SSIM-Collector1 /]# netstat -an | grep 105
udp   261792      0 :::10514                    :::*
udp        0      0 :::10516                    :::*
udp        0      0 :::10517                    :::*
udp        0      0 :::10518                    :::*
udp        0      0 :::10520                    :::*
udp        0      0 :::10525                    :::*
udp        0      0 :::10530                    :::*
udp        0      0 :::10531                    :::*
udp        0      0 :::10532                    :::*
udp        0      0 :::10533                    :::*
udp   262064      0 :::10550                    :::*
udp        0      0 :::10557                    :::*
udp        0      0 :::10559                    :::*
udp        0      0 :::10595                    :::*
udp        0      0 :::10596                    :::*
udp        0      0 :::10597                    :::*           

 

port 10514and 10550 already full load,  and can UDP have many error packet

                         
[root@SSIM-Collector1 /]# netstat -s
***********
Udp:
    1243039294 packets received
    772323 packets to unknown port received.
    2644992472 packet receive errors
    729550 packets sent

 

So i want you share me if you have any better solution or any other Load balance network device can support UDP packet better.

Another question is , what's the meaning about the number 262064, 261792 , i found they cannot raise more, packet per second? or queue on this port ?

Comments 4 CommentsJump to latest comment

Laurent_c's picture

Have you tried a load balancer device in front of the bunch of SSIM ? maybe redirecting in round robin type scenario ? (it does require a device like a cisco load balancer)

Mike Buckley's picture

I think he's saying that the SSIMs are already behind a F5 load balancer and it can't load balance the udp very well, if F5 can't do it very well I wouldn't hold out much hope for the Ciscos.

I have a similar problem, top of the range ASA firewalls burst over 15k EPS and easily bring down a standalone SSIM.  Customer has 10 SSIM licenses so we're pushing for a design workshop to hammer out a proper design rather than using the PoC box in production (!!!), I'm hoping a standalone collector SSIM can cope but I don't actually know the peak EPS rate on the ASAs yet, could be they'll need a load balancer too.

mathell's picture

We load balance to multiple rsyslog daemons (which forward to local collector instances) using Pirahna, but going to try our new Cisco LBs. Pirahna works very well, but our network folks want us to use their new solution.  FWIW, the old Cisco load balancer worked very poorly with UDP. It treated a stream of UDP messages from a single source like a connection and forwarded all to a single host (e.g. no load balancing). WIth Pirahna, we can actually "round robin" the incoming UDP messages. We also had to tweak some Linux kernel settings to get optimal behavior.

alvingarlic's picture

Hi

I need help on SSIM data replication. can anyone provide me the document?