- How to tell if your Pulse Appliance is overloaded?
- Rxdrop and/or Tx drop is seen (System -> Network -> Overview) along with an unusual increase in CPU/Throughput. This could also be related to an unusual increase in the Concurrent users.
- Configure SNMP thresholds (CPU, Swap Memory, etc.,) to alert on performance issues & also watch out for Critical events in the logs // System -> Log/Monitoring -> SNMP
- Recommended base line for a healthy deployment,
- Please be aware that the throughput numbers listed in this document only covers Pulse L3 Tunnels & has been published based on the lab testing (Controlled environment /optimal use cases & with the optimal packet sizes) and there are high chances that the appliance could max. out much before they hit those actual number in a Production environment. The other factors that contribute to Device throughput include Auth Rates, cipher type, other access types such as PSAM, Rewriter, html5 etc.,
- The unit used in this document is Mbps/Gbps (Mega Bits Per second / Giga Bits Per second). Whereas the overview/dashboard screenshot shows the data in MBps (Mega Bytes Per second). Therefore, to calculate the throughput, the usage under External-In/Internal Out & Internal-In/External-Out needs to be added.
- The throughput reflects the usage of all (traffic) access types (PSAM, Pulse L3 Tunnel, Rewrite, Html5 Etc.,)
- Optimized Pulse Secure SW version for maximum performance?
- 9.1Rx/9.0Rx code is recommended.
a. Add capacity (Configure A/A Cluster or add another node if A/A cluster is already configured or configure stand-alone node). Please follow the Admin Guide for the instructions.
- What to do if you suspect high performance issues?
b. Split-Tunneling can be used to ensure that only internal traffic goes via PCS Appliance(s).
- PSA 300/3K and PSA5K can only be clustered in two node clusters (A/A or A/P).
- Active/Passive (A/P) gives the customer a hardware redundant system, or high availability (HA). Only one node is active at any time, if it fails the passive node takes over. Because of the very nature of the cluster (one node active), it can only scale to the limits of a single node. (Limits covered below)
- Active/Active (A/A) clustering provides increased throughput to backend systems, by dividing the “load” of user traffic through multiple gateways to backend systems. Please refer KB44398 - Active/Active Cluster best practices
c. If Html5 (RDP) feature is used by many users, check for alternatives, for example, Premier Java RDP Applet KB41060 - Premier Java RDP Applet and licensing frequently asked questions (FAQ)
c. Check if the concurrent users are increasing compared to earlier days and based on the estimated increase add more capacity.
d. Check if L3 Tunnel users are using SSL Mode instead of ESP Mode & take the necessary actions (Confirm that all realms have ESP Enabled & Check the firewall - UDP 4500 - and/or if anything on the end point blocking the use of ESP Mode).
3. What logs are needed for troubleshooting performance issues?
a. Complete Dashboard/Overview Graphs from all the nodes with timeframes of 1 day, 1 week & 1 Month (System -> Status -> Overview).
b. PCS Logs (User/Events/Admin) \\ (System -> Log/Monitoring -> Events -> Save All Logs).
c. System Snapshot from all the nodes (With “System Config” & “Debug Log” selected) \\ Maintenance -> Troubleshooting -> System Snapshot).
d. System/user config :
e. Customers using PCS 9.1R3 or above can download b. & c. from Maintenance -> Troubleshooting -> Log Collection as shown below (However, ensure that “System Config” & “Debug Log” are selected in the System Snapshot tab).
- Maintenance -> Import/Export -> Import/Export Configuration -> Save Config As.
- Maintenance -> Import/Export -> Import/Export Users -> Save Config As.
4. Related links/Info :
a. Please contact your regional Sales Engineer for additional licenses/appliances or/and vADC (Load Balancer) demo/trial.
b. ICE (In case of Emergency) License FAQ