After a recent configuration change on a FireSIGHT System, you may experience network latency. This document provides a method to investigate the cause of a latency issue.
In order to troubleshoot a latency issue, Cisco recommends the following:
- You should have advanced knowledge of the FireSIGHT System.
- Latency and performance testing should only be performed on hardware platforms, since a virtualized environment introduces external factors that are impossible to incorporate into an analysis.
- Cisco internal testing mechanism uses the Balanced Security and Connectivity Intrusion Policy. A custom user-defined policy is beyond the scope of latency assurances.
- Do not run a latency test over the Internet. If you do not have dedicated hardware to test latency, you can use directly or closely connected endpoints to perform a test for a certain application, for example, a file transfer.
The instructions on this document are applicable on any FireSIGHT Systems.
Understand The Testing Method
In order to identify the root cause of a latency, two runs of tests are necessary - the first run is to gather data points before a change is made, and the second run is to collect data points after a change is made. The final test result is derived by comparing both data points - before and after a configuration change.
Since a FireSIGHT System has many complex components which interconnect in complicated ways, changing more than one parameter may generate varying results, which can make the trace back difficult.
The most important requirement for comparative latency testing is that both runs should differ by the only variable that is under analysis, and only one single variable is changed between the tests. For example, if testing latency between different versions of the software, only the software version can be changed between tests, and all other configurations must be held constant, such as, hardware platform, inspection policy, application identification (AppID) configuration, Access Control rules, logging (end-of-flow only), and all other configuration parameters.
- Two sets of data for the following items - before and after a configuration change:
- Provide a summary of the test results which highlights the latency concern.
- Provide a specific reference (such as, page number and data field) from your test report where results are scrutinized.
- A clear description of the latency - why the current latency is unacceptable, and what is the expectation.
- Provide a description of all the changes made between test runs. For example, if there is a change in the Intrusion Policy, then provide details of the change, including rules added or modified.