LSA (Local Security Authority) is a Windows process that verifies a user's identity. The LSA component is used by the IWA Direct Authentication on the ProxySG and will display on the CPU Monitor if you are using IWA direct in your policy.

Common reasons for seeing high CPU in LSA component include:

A high number of authentication failures

Check the Event Log to see if there is a lot of authentication failures on the ProxySG. If there is,

• Check if there is a common IP address that causes a lot of authentication failures.
• Investigate the IP address to see what type of traffic is it sending to the proxy.
  • If possible try to block that IP address before it reaches the proxy and see if the high CPU utilization goes down.
  • Or disable authentication for these IP addresses on ProxySG temporarily and deny them as part of troubleshooting
  • If CPU goes down, check those IP addresses/machines for any malware/spyware/application that causing so many authentication failures.

Use IP surrogate to reduce the amount of authentication requests

To reduce the amount of authentication processing, use IP surrogate authentication mode (Proxy-IP) if possible and increase Surrogate Refresh Time interval on authentication realm setting. 

As a temporary workaround, you can also disable Authentication in your Visual Policy Manager under the Web Authentication Layer and the CPU will drop.

Next steps

If you go through these steps and still have issues with high CPU utilization in the HTTP or FTP process group, open a ticket with Broadcom Support.

In addition to the details from the CPU Monitor, you may also be asked to provide the following:

SysInfo

• The SysInfo information should be captured after the CPU utilization has returned to normal, or after 20 minutes of high utilization for a persistent utilization spike.
• This information can be uploaded through the management console Maintenance tab or captured from the URL https://<proxy_ip>:8082/Sysinfo

Event log

• The Event Log should be captured after the CPU utilization has returned to normal or after 20 minutes of high utilization for a persistent utilization spike.
• This information can be uploaded through the management console Maintenance tab or captured from the URL https://<proxy_ip>:8082/Eventlog/Statistics

 TCP users

While the CPU utilization is high, copy the output from the URL https://<proxy_ip>:8082/TCP/Users 

SysInfo_stats snapshots

Configure snapshots on the Edge SWG to occur every five minutes (default is 60), and run for at least 20 minutes during the CPU spike.

Full core (optional)

Depending on the nature and symptoms of the high utilization issue, you may be asked to provide a full core dump of the Edge SWG (ProxySG).