The CW is maxed out but the CPU and SW are low on the ProxySG appliance.

book

Article ID: 166954

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ProxySG appliance becomes unresponsive due to a high number of failed authentication requests.

In snapshot_sysinfo_stats, we see that the CW is maxed out, but both the CPU and SW are low, like in the example shown below:

                                                              TM002      HTTP_      HTTP_      HTTP_      HTTP_
                     GMT      CPU0  CPU1  .00.1  MAIN_0090  MAIN_0091  MAIN_0102  MAIN_0111
Wed Dec 14 03:04:41 2011     8    10       35      19500       5430       5414         26
Wed Dec 14 03:05:41 2011     7     9        39      19500       9679       9678         22
Wed Dec 14 03:06:41 2011     8    12       42      19500      12509      12500         21
Wed Dec 14 03:07:41 2011     8    10       43      19500      14259      14253         30
Wed Dec 14 03:08:41 2011     8    15       46      19500      17526      17493         32
Wed Dec 14 03:09:41 2011     4     6         48      19500      19500      19500         30
Wed Dec 14 03:10:41 2011    24    10      48      19500      19500      19500         50

In the eventlog, we see the following entry:

2011-12-14 10:41:18+08:00CST  "LDAP: Server '10.0.5.55' in realm 'AD' is online."  0 26002D:96   ../../realm_ldap.cpp:1093
2011-12-14 10:41:31+08:00CST  "LDAP: Server '10.0.5.55' in realm 'AD' is offline."  0 26002D:1   ../../realm_ldap.cpp:1026
2011-12-14 10:41:31+08:00CST  "LDAP: search failed for base DN:DC=wanda,DC=cn"  FFFFFFFB 260012:1   ../../realm_ldap.cpp:2661
2011-12-14 10:41:31+08:00CST  "LDAP: Server '10.199.200.48' in realm 'AD' is online."  1 26002D:96   ../../realm_ldap.cpp:1093
2011-12-14 10:41:32+08:00CST  "LDAP: search failed for base DN:DC=wanda,DC=cn"  FFFFFFFB 260012:1   ../../realm_ldap.cpp:2661
2011-12-14 10:41:32+08:00CST  "LDAP: Server '10.199.200.48' in realm 'AD' is offline."  1 26002D:1   ../../realm_ldap.cpp:1026
2011-12-14 10:41:32+08:00CST  "LDAP: search failed for base DN:DC=wanda,DC=cn"  FFFFFFFB 260012:1   ../../realm_ldap.cpp:266

In the access log, we see the following entry:

2011-12-14 09:18:57 1 10.49.12.6 - - authentication_failed PROXIED "Computers/Internet" -  407 TCP_DENIED CONNECT - tcp tcpconn2.tencent.com 80 / - - - 10.0.4.5 280 162 -
2011-12-14 09:18:57 2 10.49.12.6 - - authentication_failed PROXIED "Computers/Internet" -  407 TCP_DENIED CONNECT - tcp tcpconn4.tencent.com 443 / - - - 10.0.4.5 280 164 -
2011-12-14 09:18:57 1 10.49.12.6 - - authentication_failed PROXIED "Computers/Internet" -  407 TCP_DENIED CONNECT - tcp update.360.com 80 / - - - 10.0.4.5 280 162 -
2011-12-14 09:18:57 1 10.49.12.6 - - authentication_failed PROXIED "Computers/Internet" -  407 TCP_DENIED CONNECT - tcp up.rising.com.cn 80 / - - - 10.0.4.5 280 162 -

The policy is as shown below:

<Proxy>
    socks.authenticate(ad) socks.authenticate.force(no)

<Proxy>
    client.address=10.0.0.0/8 authenticate(ad) authenticate.force(no) authenticate.mode(proxy-ip)

<Proxy>
   allow


 

When there are many client software attempts to access the Internet (for an update, query or other purposes), those attempts are asked to provide authentication credentials for Internet access; however, these attempts are transparent to users. In other words, the users won't see the authentication pop up message.

 

When no credentials are provided, the ProxySG appliance repeatedly asks for credentials which are subsequently blocked. This process repeats until the CW is exhausted.

 

 

 

Resolution

Analyze the access log, and then add a non-authentication policy at the first layer to bypass this traffic, like in the example shown below:

<Proxy>
    condition=un-auth-grp authenticate(no)

define condition rising

    url.host.exact="rising.com.cn"

end condition rising

define condition 360

    url.host.regex="360.com"

end condition 360

define condition tencent

    url.host.regex="tcpconn[0-9].tencent.com"

end condition tencent

define condition un-auth-grp

    condition=rising

    condition=360

    condition=tencent

    url.regex="tecent.com"

end condition un-auth-grp