Why does ER8411 consume so much RAM?
I have a few of ER8411 v1. Even with 1.03, the memory usage is close to 58% with no traffic if I login at night time. Considering it has 4GB of RAM, and compared with 512MB on ER7206 (which I also have several) and which will consume about 20%.
I am trying to see if ER8411 can work reliably in a large school with 3000 students and with about 3Gig of Internet (on a 10Gig fiber).
Anyone using this gateway model in a large setup, please share your experience.
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
To further add to my post, the specs for this box say 2300K of concurrent connections, and that implies NAT connection state tracking table size. To be safe, we can assume 60% of that as usable, or about 1400K of concurrent connections. Further the firewall may use one connection for each side (incoming and outgoing) of each connection leg. So that reduces to about 700K concurrent connections. Considering a device can average about 200 sessions each, the box will seem like supporting 3500 active users.
Let us now look at the RAM. Each connection could use 10Meg per side, so 700K will use 7GB of RAM. But looks like box consumes about 2.4GB without load, so we are left with only about 1GB for connection tracking. Accordingly 1GB may only 500 concurrent users.
CPU does not seem to be an issue, which is relevant for bandwidth / traffic funneled thru the box, but RAM could be upgraded to 16GB (and they could charge USD100 or so for upgrade kit :) for larger use case.
I might be wrong, but I believe this box should not be used for 500 concurrent active users situation. And being a SMB product, this might be okay for that market segment.
- Copy Link
- Report Inappropriate Content
@dpsguard I ran some stress testing on my ER605. Definitely not a direct comparison but something to think about.
- ER605 Starting RAM Usage: 33% Used (42/128MB)
- Start load/stress testing traffic with scripts launching many concurrent Google searches
- Current Sessions as reported by the ER605 peaked at just over 15k
- At the same time, the internet was still working normally when tested by browsing and loading YouTube videos
- Stopped load testing due to the source PC struggling from resource exhaustion
- ER605 Peak RAM Usage: 47% Used (60/128MB)
- Waited for all the sessions to die off / be cleared
- ER605 Final RAM Usage: 33% Used (42/128MB)
Some observations from my testing
- No obvious memory leak after mass starting/finishing lots of sessions since RAM usage returned to the starting amount
- 18MB/18,000KB divided by 15,000 sessions comes out to roughly 1.2KB per session
- These were simple short-lived sessions that may not reflect real-world usage but the result does align closely with Cisco documentation that says the basic NAT translation is very memory efficient (312 bytes) - https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html
- There are things that use memory beyond NAT translation of course
Unless I misunderstand your users, you may be overstating the concurrent sessions per device. I only ever see this under 50 concurrent sessions per device for my family's most active desktops/laptops.
My suggestion for a new rough back-of-the-envelope estimate would be something like:
- ER7411 has 1GB RAM available
- average of 10KB RAM per session
- average of 50 concurrent sessions per device
Result: Supporting 100,000 concurrent sessions or 2,000 users
- Copy Link
- Report Inappropriate Content
@dsj thanks so much for looking into this and sharing your testing methodology and results.
My methodology might be flawed then. I looked at a metric on my mid size pfsense firewall that has 8GB of RAM and there is an item at home page displayed as State Table Size (has scale to 804000). Down below, it showed the actual RAM it shows 13%, so likely 10% pre-allocated for state table and 3% of actual current use for other things.
I used one of our own site Public IP address to send simulate traffic to (used a utility from NetScan Tool, called Packet flooder, which only can do UDP, set concurrent session to 10 and then slowly increased to 70, set sending port to be randomized and set the bandwidth to consume to 5% of interface speed and set time to 15 seconds, at night time. And it was showing 98% of State Table used at 70 UDP sessions and I could see from WAN bandwidth graph that it did consume about 45Mbps, which will be close to 5% of 1Gbps interface speed. At that time, I also lost access to my firewall.
So if pfsense by design allocates 10% of RAM (800MB about 804000KB) out of 8GB for state table buffer, then each session consumed almost 10MB, at least for UDP stream. So my box will then not allow more than maybe about 60 sessions (UDP they are and not TCP), unless I find a way to allocate more memory to state table out of 90% allocated for other functions.
However, there must be some other supporting overheads that will use the memory in ER8411, while my pfsense box only uses 3%. In your testing, you used a script as load generator, but will that script then not be launched just from a single machine. That may then only consume one state table entry (a tuple of sender IP, sender port, destination Google webserver IP and port 443)? Sure script will show 15K sessions, but they may all be seem by router as part of a single session (unless script was also randomizing the sending port number for each session generated). Hopefully it does. Can you please share that script / link?
As to the concurrent sessions per user, I was asked to assume about 100 sessions per laptop in school for some days when they will have 50% of students to attend classes to a remote school. I was not sure myself as to what type of session will that be to use many concurrent established sessions ( I just saw my own computer with 4 tabs open for browser, Outlook and one YouTube video going and I had 70 sessions). I agree that maybe using 25 on an average could be good number, but I am scratching my head as to why ER8411 will pre-allocate about 60% of 4GB to various processes with almost zero traffic (other than my remote management traffic).
- Copy Link
- Report Inappropriate Content
@dpsguard I verified the number of sessions using the ER605's Session Monitor feature in standalone mode. This displayed a peak of just over 15k sessions.
It was a very simple/crude testing method as I mentioned. I ran several concurrent instances of this basic parallel Powershell script with a variety of websites/URLs.
[int[]]::new(5000) | ForEach-Object -parallel { Invoke-WebRequest google.ca }
- Copy Link
- Report Inappropriate Content
@dsj Okay, so the powershell script used a single socket launching multiple sessions. I guess then this wil not cause multiple connection tracking for ER to manage. They could all be part of single socket and hence single connection / NAT state.
I don't have knowledge of powershell scripting, but I had also tried with locust python tool, which allows concurrent max users to be defined with a spawn rate to ramp up to this max users. I was hoping if I keep increasing the max users, I will see large number of concurrent http requests / responses but it peaks at about 250 RPS (requests per second) even for 500 users (started with 1, then 10, 50, 100 and likewise) with spawn rate of 1 to 10 users / second and in the code I had changed wait time to 0 for clients to send repeat requests as soon as they can. The laptop was at that time showing 70%cpu and about 4GB of ram used out of 8GB, so not sure if this is limitation of my laptop. Laptop was still fully usable in parallel for other things. That is why then I used the other tool but that will only do UDP.
Complains about link being posted, so Google search for the text below.
"Locust + Python Examples: Variables + Assertions | Blazemeter by Perforce"
Datasheet for ER8411 indicates 20K per second new sessions and concurrent total of about 230K. But we have no idea as to how they will have tested for this marketing data. Realistic will be to use IMIX packet size, with 20 users each to 25 different test webservers (even Raspberry Pi machines in the test lab, so as not to spam websites on the Internet.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1016
Replies: 5
Voters 0
No one has voted for it yet.