Admission Control is a mechanism by which incoming data packets will be dropped when the system is at over capacity. This throttling helps in ensuring that the system has enough resources to process the already buffered packets. The admission control is applied only on data packets.

To check if there are any over capacity drops, use the following commands:

root@spperf-gateway-1:~# dispcnt -s over_capacity_drop

over_capacity_drop = 1461980	0	/s
root@gateway-1:~# dispcnt -s over_capacity_drop -d vcgw.com

Fri Dec 17 11:12:25 2021
over_capacity_drop                       = 0           	0	/s
root@gateway-1:~# dispcnt  -s natd.shmem_oom -s natd.port_assign_fail -d vcgwnat.com

Fri Dec 17 11:12:44 2021
natd.port_assign_fail                    = 0           	0	/s
natd.shmem_oom                           = 0           	0	/s
root@gateway-1:~# dispcnt -p netif -s tx_drop -s rx_drop -d vcgw.com

Fri Dec 17 11:13:04 2021
netif_eth0_rx_dropped                    = 0           	0	/s
netif_eth0_tx_dropped                    = 0           	0	/s
netif_eth1_rx_dropped                    = 0           	0	/s
netif_eth1_tx_dropped                    = 0           	0	/s

To monitor the capacity of flows, run the following command:

root@gateway-1:~# dispcnt  -s flow_admisison_limit_hit
To monitor the over capacity issues on NAT entries, run the following command:
root@gateway-1:~# dispcnt  -s natd.shmem_oom -s natd.port_assign_fail -d vcgwnat.com

Fri Dec 17 11:12:44 2021
natd.port_assign_fail                    = 0           	0	/s
natd.shmem_oom                           = 0           	0	/s

The following table lists the threshold values and recommended actions for overcapacity drops.

Threshold State Threshold Value Recommended Corrective Action
Warning 500 drops per 30 seconds (absolute count)

When the drops remain above threshold value consistently for 5 minutes, warning alert is triggered.

When the drops cross warning threshold:

  • Collect Gateway diagnostic bundle.
  • Check if a CPU intense system event is causing the packet drops.
  • Check flow metrics as follows:
    • Maximum: 1.9M
    • NAT: 960K
    • Route: 1M for shared Gateway, 100K single enterprise
  • If throughput is consistently bursting for every 60 minutes or less to 2Gbps, quiesce the Gateway and add new Gateway to increase the capacity.
  • If any of the scale metrics have reached a 90% threshold of maximum limit, quiesce the Gateway and add new Gateway to increase the capacity.
Critical 1000 drops per 30 seconds (absolute count)

When the drops remain above threshold value consistently for 5 minutes, critical alert is triggered.

When the drops cross critical threshold:

  • Collect Gateway diagnostic bundle.
  • Monitor throughput continuously for the next 15 minutes

If the drops do not stabilize:

  • Quiesce the Gateway and add new Gateway to increase the capacity.
  • Check for top talker Enterprises to move to new Gateway.
  • At this stage Gateway is already causing user experience. After identifying the top talker Enterprises, rebalance the Edges immediately.