Why the delay of the USG firewall to itself is large?


The delay of the USG2000 & 5000 & 6000 ping itself is normal. The reason for pinging the device is as follows:
1. The ping packet of the device itself needs to be processed from the LPU to the MPU. The MPU will process it from the LPU to the backplane.

2. The main control board processing capacity is limited, but also the core of the control device, can not exceed the processing performance, so the message sent to the main control board is protected, will do the current limit processing.

So access to their own traffic may be some delay, are normal circumstances.

Other related questions:
Why does the active firewall require a longer preemption delay than that on the standby firewall
Preemption starts after the original active firewall recovers. If the preemption delay of the active firewall is too shorter than that on the standby firewall, the active firewall may switch status before the session entries on the standby firewall are completely synchronized to the active firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a longer preemption delay. Preemption does not start after the standby firewall recovers. Therefore, preemption delay is meaningless for the standby firewall and you can use the default preemption delay.

RIP configuration of USG firewalls
Configure the RIP on the USG2000 or USG5000 as follows: 1. Run the system-view command to enter the system view. 2. Run the rip [ process-id ] command to enable the RIP route process and enter the RIP view. If the RIP commands are configured in the interface view before the RIP is enabled, the configuration only takes effect after the RIP is enabled. 3. Run the network network-address command to enable the RIP in the specified network segment. The RIP runs only at the interface in the specified network segment. For other interfaces, the RIP does not receive and send routes or does not forward the interface route. Therefore, after the RIP is enabled, you must specify the network segment. The network-address indicates the address in the natural network segment. By default, the RIP is disabled at all interfaces after it is enabled. Note: The RIP does not support different addresses specified for different RIP processes of the same physical interface. 4. By default, the interface receives RIP-1 and RIP-2 packets but sends only RIP-1 packets. When the interface version is RIP-2, you can specify the packet sending mode. If the RIP version is not configured for the interface, the global version shall prevail. Configure the global RIP version by running the version { 1 | 2 } command. Configure the RIP version for the interface. a. Run the system-view command to enter the system view. b. Run the interface interface-type interface-number command to enter the interface view. c. Run the rip version { 1 | 2 [ broadcast | multicast ] } command to specify the RIP version of the interface.

USG firewall configuration saving
If the configuration is not saved or fails to be saved, it is lost. You can save the configuration files on USG firewalls as follows: 1. CLI save //Save the input information.// 11:36:31 2015/03/04 The current configuration will be written to the device. Are you sure you want to continue?[Y/N]y //Click Y to configure the saving.// Now saving the current configuration to the device............................................ Info: The current configuration was saved to the device successfully. 2. Web UI: Click the Save button in the upper right corner on the web UI. In the displayed window, click Overwrite the profile used for next boot and then click OK.

USG firewall security association
USG firewall security association What is security association (SA)? The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection. The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements: Security Parameter Index (SPI) The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA. Destination IP address Security protocol number (AH or ESP) Creation mode The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows: Different key generation modes In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated. In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high. Different IPSec SA lifetime In manual mode, once an IPSec SA is created, it permanently exists. In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

Long ping latency on S series switches
Network latency indicates the round-trip period of time during which a source device sends a packet to the destination device and then the destination device returns a packet to the source device. Possible causes of long network latency are as follows: 1. Multiple hops on the packet forwarding path. The transmission time of packets in the physical medium can be ignored because optical and electrical signals are transmitted at a high speed. However, the time that a switch spends processing packets cannot be ignored. When packets are transmitted through too many hops, the network latency is long. 2. Insufficient network bandwidth. When the network through which packets are transmitted does not have sufficient bandwidth, network congestion occurs and packets need to wait in queues, resulting in long network latency. 3. Insufficient memory space. When a switch receives a large number of packets, the switch does not have sufficient memory space to process these packets, resulting in slow packet processing speed and long network latency. You can run the ping command to test network latency. The test results are only for reference and cannot be used as an absolute value of network latency measurement. No reference value is available for determining whether the ping latency is normal because requirement for network latency varies depending on network status. Other measurement methods such as network quality analysis (NQA) are also required to accurately measure network latency. Pay attention to the following points when analyzing a ping latency: 1. When a switch forwards packets through the hardware at a high speed, network latency is short. For example, ping a PC connected to the switch. When packets need to be processed by the CPU, network latency is long. For example, ping a gateway. Through network latency is long when the switch pings the gateway, packets are normally forwarded because the packets are processed by the underlying chip rather than the CPU. You can run the icmp-reply fast command to enable the fast ICMP reply function on the switch to shorten network latency when the switch pings the gateway. After the function is enabled, the switch quickly responds to received Echo Request packets destined for its own IP address. The CPU of the LPU directly responds to the received ICMP packets, improving the processing speed of ICMP packets and shortening network latency. 2. The processing priority of ICMP packets has been minimized to prevent impacts of common ping attacks on the switch, so that ICMP packets are the last to be transmitted and processed. Therefore, the network latency is long.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top