search cancel

ProxySG/ASG responding slowly with user traffic after 6.7.x upgrade

book

Article ID: 173782

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

ProxySG/ ASG  may respond slowly 6.7.x upgrade for the first time. But without any configuration change when downgraded back to older SGOS (i.e 6.5.x or 6.6.x ) version this issue is resolved.. This is observed when ProxySG / ASG has an active network interface (NIC) where use traffic is intercepted and the manufacturer of that NIC in 'Intel'  and one of the following conditions are true

  • one or more VLAN is configured on that NIC.
  • that interface intercepts packet transparently (i.e WCCP / PBR) and has bypass packets. 
  • that interface is used for bridging packets (i.e interface is a member of passthru).

Cause

This problem is observed due to incorrect LRO (large receive offload) on VLAN , bypass & bridged packets by the Intel NIC card driver. LRO is a new feature of SGOS 6.7.x and enabled by default upon SGOS 6.7.x upgrade . More information on LRO can be found here

This is a known bug # 258918 . More information can be found under latest release notes of SGOS 6.7.x . Also release notes from Intel can be found here , which confirms LRO is incompatible with "routing/ip forwarding , bridging".

Resolution

Bug # 258918 has been addressed on SGOS 6.7.3.7 and later SGOS versions.  On these SGOS version CLI command has been added to make LRO as a configurable option. After upgrading on these SGOS version to obtain this fix , apply below CLI commands

#conf t
#(config)tcp-ip tcp-lro disable

Note - This CLI command is a 'hidden  CLI command' and will not be displayed under available CLI commands with '?' when this change is made to SG, it is stored in configuration permanently and preserved upon reboot or upgrade to higher SGOS versions.

Also please refer to 173767