Please review the following Frequently Asked Questions for useful information on managing the load on your PCS appliance
1. What is the maximum capacity of my PCS Appliance?
Beyond license restriction, the maximum number of users that your appliance can support depends on several environmental factors including:
For “sample” data on the maximum user count and throughput for various PSA appliances, please visit KB40057 and the PCS datasheet
- Device throughput.
- Average packet size (With less packet sizes, more PCS CPU is spent on analyzing the packets and hence less throughput).
- Cipher size, FIPS ON.
- VLANs and virtual ports.
- Number of ACLs.
- Multicast traffic enabled under user role > VPN tunneling options.
- CPUs, Memory, and other system characteristics.
- Encryption algorithm type and key size configured.
- Network latency between the authentication servers and backend applications.
- Complexity of Host Checker polices and role mapping rules.
- VPN Tunneling mode (ESP or SSL).
- Clustering synchronizations for configs and sessions.
2. How can I optimize my PCS appliance for more capacity?
If your PCS appliance is approaching the maximum limit, you may notice CPU spikes on the Admin UI overview graph, throughput that are nearing the capacity of the appliance, or slow performance during peak usage. Please use the following guidelines to optimize the appliance utilization:
Throughput Optimization :
- Consider using spit-tunneling to exclude internet and high bandwidth voice traffic outside tunnel. Please refer section About Split Tunneling Role Options in admin guide .
- Minimize or avoid enabling multi-cast traffic.
- If using Active/Passive cluster, consider switching to Active/Active cluster. See KB44398 for more information.
- If using an Active/Active cluster, consider adding more appliances to the cluster. You can add up to 4 appliances in a PSA 7000 Active/Active cluster.
- Limit the use of high bandwidth applications such as HTML5 RDP. Alternatively, you can use the Java RDP for remote desktops. Refer KB41005 for HTLML5 high CPU issue and KB41060 for Premier JAVA RDP
- Convert your clusters to standalone and have users connect to individual nodes to divide load.
- Wireless adapters such as the ones below are known to provide better throughput.
- Asus ac-56
- TP-Link Archer T9UH AC1900 High Gain Wireless Dual Band USB Adapter
3. How can I tell if my PCS appliance is under high load?
- Review and optimize your Host Checker policies.
- If “IP Address Filter” (Under System -> Network -> VPN Tunneling) & many Static IP Address Pool (Users -> Resource Policies -> VPN Tunneling -> Connection Profiles) are configured, please ensure that the Pool Matching the “IP Address Filter” is at the top of the list. Else, it can result in the following side-effects,
- Huge Latencies.
- User Connection Drops.
- Users unable to connect/obtain IP Addresses.
- ESP connections falling back to SSL.
- Ensure that VPN tunnels are using ESP mode. Refer page 631 admin Guide.
4. What logs should I provide when reporting a performance issue?
- Check system and event logs for critical messages .
- Review device graphs to see if your appliance’s throughput is within the specified limits. Please check KB43684 for more information on Throughput calculation.
- Check for High CPU, refer KB15832
Refer to KB44397 for logs required for troubleshooting performance issues
Note: Up-to-date information on this PSN is available at TSB44404
Pulse Secure Support is available 24X7 at: +1-844-751-7629 (Toll free, US & Canada), +1-408-300-9668 (Other Countries).