High CPU usage in HTTP on Edge SWG
search cancel

High CPU usage in HTTP on Edge SWG

book

Article ID: 165617

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG ISG Proxy

Issue/Introduction

The CPU Monitor is reporting high CPU utilization in the HTTP process group on Edge SWG (formerly ProxySG).

 

Cause

High CPU usage in HTTP typically results from a surge in incoming requests, which can stem from various factors, such as:

  • Increase in HTTP traffic over time
  • A request loop
  • Applications that don't support server or Proxy authentication
  • Malware presence
  • A DoS or DDoS attack

Resolution

Look at your traffic patterns to see if the user base has increased. Using the management console, check the bandwidth utilization using the Statistics > Traffic Mix section. Confirm if the bandwidth utilization for the Edge SWG corresponds to the CPU spikes.

If you suspect malware or request looping, like an application which doesn't work with Proxy Authentication, then check the Edge SWG Event Logs. Enabling attack detection in monitor mode which will report clients who are sending a high number of  requests to the ProxySG. See How do I configure the ProxySG appliance to detect DoS and or DDoS traffic from a client without enforcing actions on the client(s)?

Other reasons for high CPU utilization in the HTTP process group:

  • Policy Coverage is enabled. To disable policy coverage see Enabling and Disabling Policy Coverage
  • Regex policy. Review your CPL and VPM policies to see if regex policy can be replaced with substring matches.

Next Steps

If you go through these steps and still have issues with high CPU utilization in the HTTP or FTP process group, open a ticket with Broadcom Support.

In addition to the details from the CPU Monitor, you may also be asked to provide the following:

SysInfo

  • The SysInfo information should be captured after the CPU utilization has returned to normal, or after 20 minutes of high utilization for a persistent utilization spike.
  • This information can be uploaded through the management console Maintenance tab or captured from the URL https://<proxy_ip>:8082/Sysinfo

Event log

  • The Event Log should be captured after the CPU utilization has returned to normal or after 20 minutes of high utilization for a persistent utilization spike.
  • This information can be uploaded through the management console Maintenance tab or captured from the URL https://<proxy_ip>:8082/Eventlog/Statistics

TCP users

While the CPU utilization is high, copy the output from the URL https://<proxy_ip>:8082/TCP/Users

SysInfo_stats snapshots

Configure snapshots on the Edge SWG to occur every five minutes (default is 60), and run for at least 20 minutes during the CPU spike.

Full core (optional)

Depending on the nature and symptoms of the high utilization issue, you may be asked to provide a full core dump of the Edge SWG (ProxySG).

 

Powered by Wolken Software