Edge SWG (ProxySG) or ASG responding slowly to user traffic after upgrading to SGOS 6.7.x or later
search cancel

Edge SWG (ProxySG) or ASG responding slowly to user traffic after upgrading to SGOS 6.7.x or later

book

Article ID: 173782

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Edge SWG (ProxySG) or ASG may respond slowly after upgrading to SGOS 6.7.x or later. Without any configuration change, downgrading to an older SGOS version resolves the issue.

The problem occurs when the Edge SWG or ASG has an active network interface (NIC) intercepting traffic and Intel is the manufacturer of that NIC, and one or more of the following conditions are true:

  • one or more VLANs is configured on that NIC.
  • that interface intercepts packet transparently (i.e WCCP / PBR) and has bypass packets. 
  • that interface is used for bridging packets (i.e interface is a member of passthru).

Cause

This problem occurs because of the LRO (large receive offload) optimization on VLAN, bypass, and bridged packets by the Intel NIC card driver. LRO is a new feature of SGOS 6.7.x and enabled by default upon upgrading to SGOS 6.7.x or later. More information on LRO can be found here

This is a known SGOS bug, bug id 258918 . More information can be found under latest release notes of SGOS 6.7. This issue is a known Intel ixgbe driver issue 22919 which no longer has a public link. The info provided by Intel about the issue:

WARNING:  The ixgbe driver compiles by default with the LRO (Large Receive
Offload) feature enabled.  This option offers the lowest CPU utilization for
receives, but is completely incompatible with *routing/ip forwarding* and
*bridging*.  If enabling ip forwarding or bridging is a requirement, it is
necessary to disable LRO using compile time options as noted in the LRO
section later in this document.  The result of not disabling LRO when combined
with ip forwarding or bridging can be low throughput or even a kernel panic.

 which confirms LRO is incompatible with "routing/ip forwarding , bridging".

Resolution

Bug SG-7741 has been addressed on SGOS 6.7.3.7 and later SGOS versions.  On these SGOS versions, a CLI command has been added to make LRO as a configurable option.

After upgrading to these SGOS versions to fix this issue, apply the CLI commands

#conf t
#(config)tcp-ip tcp-lro disable

Note: This CLI command is a 'hidden  CLI command' and will not be displayed under available CLI commands with '?'.  This tcp option is stored in the configuration permanently and preserved upon reboot or upgrade to newer SGOS versions.

Also refer to ProxySG/ ASG hangs or goes unresponsive intermittently after 6.7.x upgrade

Powered by Wolken Software