No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fault - ICMP latency increasing on USG5500 from time to time

Publication Date:  2013-09-26 Views:  109 Downloads:  0
Issue Description
A ---> Firewall ---> B
Ping from A to firewall and from B to firewall present delay.
PING 10.172.186.161: 56  data bytes, press CTRL_C to break
    Reply from 10.172.186.161: bytes=56 Sequence=1 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.172.186.161: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 10.172.186.161: bytes=56 Sequence=4 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=5 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=6 ttl=255 time=10 ms

Huawei Versatile Security Platform Software
Software Version: USG5500 V300R001C00SPC700  (VSP (R) Software, Version 1.20)
Copyright (C) 2010-2012 Huawei Technologies Co., Ltd. All rights reserved.
Alarm Information
device is directly connected by ICMP latency is too big.

PING 10.172.186.161: 56  data bytes, press CTRL_C to break
    Reply from 10.172.186.161: bytes=56 Sequence=1 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 10.172.186.161: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 10.172.186.161: bytes=56 Sequence=4 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=5 ttl=255 time=10 ms
    Reply from 10.172.186.161: bytes=56 Sequence=6 ttl=255 time=10 ms
Handling Process
When you ping from A to B, icmp packets pass through firewall via Forwarding plane, are processed by a independent special ASIC chips, without switch CPU involvement, at line speed, without latency.

When you ping to firewall directly, ping packet will be transferred to Control plane - CPU. At that level, packet might wait task scheduling mechanism to get through. On our systems and also on other vendors ICMP have low priority, from security and effectiveness considerations.

Burst Latency is determined by the task schedule of ICMP, and have no relation with general data transfer. This is known behavior that appear on any vendor devices. Depends on the cpu frequency and usage. If frequency is bigger will be scheduled faster.
Root Cause
A ---> Firewall ---> B
when ping from A to B through firewall the latency is not present. So the problem appear when firewall receive icmp packets.
Suggestions
none.

END