Reply
New Member
Posts: 7
Registered: ‎03-19-2017

IPS/IDS USG Performance

[ Edited ]

Hi All,

 

The IPS/IDS feature I think is fantastic, and I understand that it is in BETA and it also puts a fair amount of straight on the USG.

 

However, I have noticed some significant instability with the USG since switching on IDS, I know that it says it limits the maximum throughput to 80 mbps, but Speedtests indicate it is being pushed to the full extent of my connection. And whilst it is under this load, the USG disconnects and continuously misses its heartbeat. 

 

Just wondering if perhaps I am supposed to make this maximum 80 mbps adjustment, or whether the USG should be doing this itself. Or perhaps its just some teething problems given it is in beta.

 

To clarify I have all Ubiquiti products including the USG which has DPI and IDS switched on, and I have a 100mbps connection. 

 

Once again though, super happy with the feature being introduced and also to all the other great features that have been added recently. 

 

Established Member
Posts: 930
Registered: ‎02-18-2017
Kudos: 307
Solutions: 28

Re: IPS/IDS USG Performance

The 80Mbps is UBNTs estimate of what the USG-3P will be able to process when running IPS/IDS. It’s not a hard and fast figure. On my 8Gb USG-4P I’ve seen bursts up to 700Mbps (UBNT say 250Mbps) so you don’t have to limit your connection in any way. 

 

Its quite possible your USG is just overheating and that’s causing the issues you are seeing. Is it very hot?

New Member
Posts: 5
Registered: ‎07-08-2016
Kudos: 39

Re: IPS/IDS USG Performance

Hi jdaw,

 

You are not alone with this issue I have the same issue with really poor performace on the USG. If I enable the IPS/IDS and DPI I only getting like 3mb to 7mb through put on a 100mb fibre. It gets so bad that you can't even stream without buffering. If I disable IPS/IDS then I get 30mb through put. I have downgraded the firmware and reset the USG. Now the USG can't adopt and fail constantly.

New Member
Posts: 7
Registered: ‎03-19-2017

Re: IPS/IDS USG Performance


@wja96 wrote:

The 80Mbps is UBNTs estimate of what the USG-3P will be able to process when running IPS/IDS. It’s not a hard and fast figure. On my 8Gb USG-4P I’ve seen bursts up to 700Mbps (UBNT say 250Mbps) so you don’t have to limit your connection in any way. 

 

Its quite possible your USG is just overheating and that’s causing the issues you are seeing. Is it very hot?


It could certainly be overheating, I do know that the box isn't in the most optimum temperature environment.

 

I know that you can see the temperature of the switch in the dashboard, how can you see the temperature of the USG? Terminal?

 

 

New Member
Posts: 7
Registered: ‎03-19-2017

Re: IPS/IDS USG Performance


@gerritg wrote:

Hi jdaw,

 

You are not alone with this issue I have the same issue with really poor performace on the USG. If I enable the IPS/IDS and DPI I only getting like 3mb to 7mb through put on a 100mb fibre. It gets so bad that you can't even stream without buffering. If I disable IPS/IDS then I get 30mb through put. I have downgraded the firmware and reset the USG. Now the USG can't adopt and fail constantly.


It's not as bad for me, I only see issues with IPS/IDS and DPI enabled at around the 60mbps+ range. 

 

I have absolutely no issues at all with IPS/IDS disabled and DPI enabled, so I think its just pushing it slightly beyond its limit OR as mentioned above its overheating, which I wouldn't ignore as the potential problem.

Established Member
Posts: 2,039
Registered: ‎03-20-2017
Kudos: 807
Solutions: 70

Re: IPS/IDS USG Performance

With IDS/IPS on, the CPU may be too busy to send heartbeat to the controller.  

Regular Member
Posts: 445
Registered: ‎12-21-2016
Kudos: 53
Solutions: 7

Re: IPS/IDS USG Performance

Usg 4.5.3 improved significantly in terms of performance. 

 

Bit usg still appears as disconnected under heavy load.

New Member
Posts: 1
Registered: ‎06-13-2018

Re: IPS/IDS USG Performance

I've only purchased a UAP-HD so far and connected it to my ASUS AC68 and it's working great.  My ASUS has a sort of Trendnet IDS/IPS that sends me emails when it blocks an attack or something.  Mostly they are attacks on my webserver like SQL inject attempts, and it has blocked things from leaving when someone brought over an infected laptop.  This can keep up with my Gig internet connection, and what I'm trying to figure out is how to replace this.  Does a USG have this capabiliity, or should I look at something else in front of the USG like PFSense or similar?

Established Member
Posts: 930
Registered: ‎02-18-2017
Kudos: 307
Solutions: 28

Re: IPS/IDS USG Performance


@Shane01638 wrote:

I've only purchased a UAP-HD so far and connected it to my ASUS AC68 and it's working great.  My ASUS has a sort of Trendnet IDS/IPS that sends me emails when it blocks an attack or something.  Mostly they are attacks on my webserver like SQL inject attempts, and it has blocked things from leaving when someone brought over an infected laptop.  This can keep up with my Gig internet connection, and what I'm trying to figure out is how to replace this.  Does a USG have this capabiliity, or should I look at something else in front of the USG like PFSense or similar?


The Suricata IPS/IDS implemented on the USG places a very heavy load on the CPU so UBNT give guideline throughputs for their various routers;

 

USG-3P - 80Mbps

USG-4P - 250Mbps

USG-XG-8 - 1Gbps

 

So if you have a 1Gbps connection, you’d see a major drop in throughput compared to your current device although I very much doubt the ASUS AC68 could run proper IPS/IDS at 1Gbps. 

 

I have had very very good experience with the Netgate SG-3100 that runs pfSense. It was able to run our 1Gbps connection with everything switched on before we got our USG-XG-8. 

New Member
Posts: 12
Registered: ‎08-08-2017
Kudos: 4

Re: IPS/IDS USG Performance

[ Edited ]

I am also seeing performance issues on a USG running 4.4.22.5086045.

 

I was just installing a Mac OS software update on a single machine and while it was downloading, no other device on the network had internet access.  Man Sad

 

As soon as the software update finished downloading, all other devices were able to access the internet again.

 

Also, as mentioned in another post here, heartbeats were missed as well.

 

Thank you.

New Member
Posts: 2
Registered: ‎08-10-2018

Re: IPS/IDS USG Performance

I talked to Unifi about this yesterday and they told me the thorughput guidelines when ISP is on Is actually not the "new" maximum throughput for the device, but insted the value that the original throughput will be reduced if ISP is turned on.

 

so:

 

USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.

 

this would mean that the USG normally had got 900mbps throughput, would get 900-85=815mps. And the USG-XG-8 has got 10gig thorugput, would have 10gig-1gbps=9gbps throughput.

 

i askes time and time again to the engineer if this was correct and he insisted that the values should be reduced from the original maximum throughput and it did not indicate new maximum values.

Ubiquiti Employee
Posts: 599
Registered: ‎02-13-2018
Kudos: 205
Solutions: 88

Re: IPS/IDS USG Performance


@joeljonsson wrote:

I talked to Unifi about this yesterday and they told me the thorughput guidelines when ISP is on Is actually not the "new" maximum throughput for the device, but insted the value that the original throughput will be reduced if ISP is turned on.

 

so:

 

USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.

 

this would mean that the USG normally had got 900mbps throughput, would get 900-85=815mps. And the USG-XG-8 has got 10gig thorugput, would have 10gig-1gbps=9gbps throughput.

 

i askes time and time again to the engineer if this was correct and he insisted that the values should be reduced from the original maximum throughput and it did not indicate new maximum values.


Sorry for the mixed signals while on with chat support. The values that are in the controller are the top throughput that you would expect to see with IPS/IDS enabled. This applies to traffic going to the internet, and also traffic that is traversing sub-interfaces (VLANs).

Adam Dipple | UniFi Support Team
New Member
Posts: 2
Registered: ‎08-10-2018

Re: IPS/IDS USG Performance

[ Edited ]

@UBNT-AdamD wrote:

Sorry for the mixed signals while on with chat support. The values that are in the controller are the top throughput that you would expect to see with IPS/IDS enabled. This applies to traffic going to the internet, and also traffic that is traversing sub-interfaces (VLANs).

ok, time for some internal training/information then i guess. pls. see chat transcript below:

 

(11:51:18 AM) Joel: but how much does IPS/IDS limit my gateway throughput? or performance in general? I got a 1 gig fibre connection.
(11:54:08 AM) Ralph S: Which IniFi devices are you using
(11:55:24 AM) Joel: UniFi Security Gateway 3P
(11:57:18 AM) Ralph S: Enabling IDS/IPS will affect the device maximum throughput. USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.
(11:57:39 AM) Joel: ok, what is the normal throughput for the UniFi Security Gateway 3P
(11:59:29 AM) Ralph S: Normal throughput for the UniFi Security Gateway 3P is 900 mbps
(12:01:08 PM) Joel: ok.. I understand, so since I have 1gbps internet connection, I would need to buy the USG-XG-8 to be able to utilize the full capacity of my connection with IPS switched on?
(12:07:24 PM) Ralph S: No
(12:07:58 PM) Ralph S: If you enable IPS you will face data loss accordingly Enabling IDS/IPS will affect the device maximum throughput. USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.
(12:08:55 PM) Ralph S: No.USG-XG-8 is a 10G device, so when you have 10G connection you will have loss of 1G when IPS/IDS is enabled.because of CPU usage as this traffic is not offloaded
(12:09:58 PM) Joel: oh, so the USG-3 maximum throughput will be decreased with 85mbps to approx. 815mbps?
(12:12:04 PM) Ralph S: Yes correct
(12:13:48 PM) Joel: that is REALLY not clear in the description under settings-IPS
(12:13:55 PM) Joel: it says:
(12:13:56 PM) Joel: Warning: Enabling IDS/IPS will affect the device maximum throughput. USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.
(12:14:20 PM) Joel: I would see that as the maximum throughput will BECOME the values
(12:15:49 PM) Ralph S: The maximum throughput of the devices will affect as the maximum throughput of the USG 3P is 900mbps -85mbps=815mbps will be your throughput
(12:16:52 PM) Joel: ok. that great. but like I said, it’s not clearly described in the information on under settings-IPS.. many people will misinterpret that information I guess

Ubiquiti Employee
Posts: 599
Registered: ‎02-13-2018
Kudos: 205
Solutions: 88

Re: IPS/IDS USG Performance

Thanks for the report. I have taken this up with a support manager to help correct the misinformation.
Adam Dipple | UniFi Support Team
Reply