I'm doing some throughput test on a vSEC gateway in network mode (basically just a VM with GAiA installed afaik), on a NSX/ESXi environment .
The test is done with a basic setup, one gateway and two Ubuntu VM's acting as client / server. To measure througput I'm using Iperf (TCP, basic settings).
The problem is when I enable both IPS and Application Awareness. With both blades enabled I'm only able to get a throughput around 1.5 Gbps. With just one of the blades its around 5 Gbps, without any blades (except FW) its 6 Gbps, which seems to be a driver limit (e1000 vs only 4.5 Gbps on VMXNET3)
I have tried to play around with the core allocation, but without luck. There are no difference if the fw workers have a dedicated core, or are able to use all available cores.
According to fwaccel stats -s, above 90% of the traffic hits PXL.
So my question is, is it possible to split the IPS and APP awareness processes to different CPU's or just load-share the PXL part even more?