The Web Security Appliance
is designed to handle thousands of client and server connections in parallel, and the sizes of the send and receive buffers
are configured to deliver optimal performance, without sacrificing stability. Generally, actual usage is browse traffic, consisting
of numerous short-lived connections for which we have receive-packet-steering (RPS) and receive-flow-steering (RFS) data,
and for which the Web Security Appliance
has been optimized.
However, at times you may experience a noticeable reduction in upload or download speeds; for example, when transferring
large files via proxy. To illustrate: assuming a 10-Mbps line, downloading a 100-MB file that passes through a Web Security Appliance
can be approximately seven to eight times slower than downloading the file directly from its server.
environments that include a larger proportion of large-file transfers, you can
networktuning command to increase send and receive
buffer size to alleviate this issue, but doing so can also cause network memory
exhaustion and affect system stability. See
Web Security Appliance CLI Commands
for details of the
Exercise care when
changing the TCP receive and send buffer control points and other TCP buffer
parameters. Use the
networktuning command only if you understand the
To configure the buffer size in
networktuning, ensure that you have enabled the automatic send and receive options that are provided under
Here are examples of
networktuning command on two different appliances:
sendspace = 131072
recvspace = 131072
send-auto = 1 [Remember to disable miscellaneous > advancedproxy > send buf auto tuning]
recv-auto = 1 [Remember to disable miscellaneous > advancedproxy > recv buf auto tuning]
mbuf clusters = 98304 * (X/Y) where is X is RAM in GBs on the system and Y is 4GB.
sendbuf-max = 1048576
recvbuf-max = 1048576
What are these
The Web Security Appliance
has several buffers and optimization algorithms which can be altered for specific needs. Buffer sizes are originally optimized
to suit the “most common” deployment scenarios. However, larger buffer sizes can be used when faster per-connection performance
is needed, but note that overall memory usage will increase. Therefore, buffer-size increases should be in line with the memory
available on the system. The send- and receive-space variables control the size of the buffers available for storing data
for communication over a socket. The send- and receive-auto options are used to enable and disable dynamic scaling of send
and receive TCP window sizes. (These parameters are applied in the FreeBSD kernel.)
How were these
example values determined?
We tested different
sets of values on a customer’s network where this “problem” was observed, and
“zeroed in” on these values. We then further tested these changes for stability
and performance increase in our labs. You are free to use values other than
these at your own risk.
Why are these
values not the defaults?
As mentioned, by default the Web Security Appliance
is optimized for the most-common deployments, and operating in a very large number of locations without per-connection performance
complaints. Making the changes discussed here will not increase RPS numbers, and in fact may cause them to drop.