Random latency handling delays on FLEX H at low bandwidth

Options
PeterUK
PeterUK Posts: 4,228 image  Guru Member
250 Answers 2500 Comments Friend Collector Eighth Anniversary
edited November 21 in USG FLEX H Series

USG FLEX 700H V1.36(ABZI.0)

So I know this to be the case with some testing I have done with BQM by thinkbroadband.com and StarTrinity CST by FLEX 700H vs FLEX 200 (non H)

With any luck this can be fixed by firmware and is not a hardware limitation?

My understanding of FLEX H is the sessions get put on fast path CPU if allowed but I'm seeing ping spikes over 100ms by BQM which ping every second and StarTrinity CST which does a UDP ping.

How I know is my BQM was on FLEX 200 and has been stable for many years then moved it to FLEX 700H and seeing random spike at not much load plus if a run StarTrinity CST in a VirtualBox to route to FLEX 200 when I see these spikes on FLEX 700H it shows fine so there is some random handling delays going on with FLEX H.

Update on issue

This problem looks to be due to my big list of trusted wildcard FQDN of about 500 when I disable this list and allow HTTPS any latency is fine.

So is there anything that can be done?

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    May I know the destination of the tests - thinkbroadband.com and StarTrinity CST - are in the list of your trusted wildcard FQDN?

    P.S. I will check with our team if this can be improved or not.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 24

    Hi Melen

    The issue can be as bad as over 500ms or even packet loss.

    The StarTrinity CST is speed load test and UDP test which I allow the UDP to destination IP range and thinkbroadband.com is just ICMP inbound to interface but you don't need them to to see the problem just a ping out to a stable source will show the problem and by a browser like Edge if you make a favourite folder like with the following then right click on the folder and click open all the problem really shows.

    https://uk.yahoo.com
    https://www.grc.com/intro.htm
    https://app.zerossl.com
    https://www.thunderbird.net/en-US/
    https://www.amazon.co.uk
    https://twit.tv
    https://www.softpedia.com
    https://www.abuseipdb.com
    https://www.virtualbox.org
    https://community.zyxel.com/en/
    https://www.twitch.tv
    https://app.brevo.com
    https://www.microsoft.com/en-us/software-download/windows11
    https://www.theregister.com
    https://www.zyxel.com/global/en
    https://www.home-assistant.io
    https://nebula.zyxel.com
    https://www.realtek.com
    https://www.guru3d.com

    C:\Windows\System32>ping -w 1000 -t 1.1.1.1

    Pinging 1.1.1.1 with 32 bytes of data:
    Reply from 1.1.1.1: bytes=32 time=11ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=14ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=10ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=10ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=11ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=221ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=13ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=20ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=14ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=545ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=107ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=581ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=68ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=72ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=463ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=335ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=578ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=728ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=127ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=19ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=18ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=162ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=18ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=28ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=18ms TTL=58
    Reply from 1.1.1.1: bytes=32 time=11ms TTL=58

    Ping statistics for 1.1.1.1:
    Packets: Sent = 27, Received = 27, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 728ms, Average = 155ms

  • PeterUK
    PeterUK Posts: 4,228 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 24

    But here is the full list of wildcard FQDN where I have three groups to allow them for HTTP and HTTPS then a block rule for HTTP and HTTPS.

    Trusted_list.txt

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)