This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.4 Home Edition - High CPU load

Hello together,

since upgrading my virtual UTM Home Edition system to 9.4 I notice a high CPU load. With 9.3 the CPU load was at an average of 6 %. Now it's near to 100 %.

This is an actual TOP:

top - 08:53:39 up 1 day, 18:07,  1 user,  load average: 20.05, 13.08, 10.44
Tasks: 175 total,   1 running, 172 sleeping,   0 stopped,   2 zombie
Cpu0  : 53.1%us, 46.5%sy,  0.0%ni,  0.3%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu1  : 53.1%us, 46.9%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   4055352k total,  3790508k used,   264844k free,   174556k buffers
Swap:  6291448k total,   292020k used,  5999428k free,  1330088k cached

  PID USER      PR  NI  VIRT  RES  SHR S   %CPU %MEM    TIME+  COMMAND
 6163 httpprox  20   0 1412m 1.1g  17m S    194 27.3   4236:40 /var/chroot-http/
 5943 root      20   0 65808  26m 4496 S      3  0.7  23:39.25 /usr/sbin/acc-age
 5479 root      20   0 22168 3296 1764 S      1  0.1  36:34.08 ./ctipd.bin -l /u
 3467 root      20   0  5328 1900 1656 S      0  0.0   1:40.19 /usr/bin/vmtoolsd
 3557 root      20   0  8976 3160 1708 S      0  0.1   0:25.12 /usr/local/bin/sy
 4819 root      20   0 10408 5652 2172 S      0  0.1   1:56.12 /usr/sbin/syslog-
 5510 httpprox  20   0  130m 106m  51m S      0  2.7   1:33.99 /var/chroot-http/
    1 root      20   0  1932  528  504 S      0  0.0   0:02.00 init [3]
    2 root      20   0     0    0    0 S      0  0.0   0:00.02 [kthreadd]
    3 root      20   0     0    0    0 S      0  0.0   0:15.32 [ksoftirqd/0]
    5 root       0 -20     0    0    0 S      0  0.0   0:00.00 [kworker/0:0H]
    7 root      RT   0     0    0    0 S      0  0.0   0:00.82 [migration/0]
    8 root      20   0     0    0    0 S      0  0.0   0:02.25 [rcu_bh]
    9 root      20   0     0    0    0 S      0  0.0   0:55.43 [rcu_sched]
   10 root      RT   0     0    0    0 S      0  0.0   0:00.74 [migration/1]
   11 root      20   0     0    0    0 S      0  0.0   0:06.11 [ksoftirqd/1]

Everything seems to run fine, but the ESXi host is under high CPU pressure and my other running VMs are sometimes a bit slow.

Does anyone else have the same experience with UTM 9.4?

Thank you.



This thread was automatically locked due to age.
  • 9.401-11

    esxi reporting 1.4% avg cpu usage

  • turn off the endpoint protection - web Control

    https://community.sophos.com/products/unified-threat-management/f/52/t/75973

    also seeing the same issue reported on the SPiceworks forum

  • Also see this thread which I believe may be associated with the general Endpoint issues...

    community.sophos.com/.../75973

  • Unknown said:

    9.401-11

    esxi reporting 1.4% avg cpu usage

    I showed you the UTM top - not the CPU load of the ESXi. I will update to 9.401-11 this evening. There's no information about solving high CPU loads, but maybe this will help.

    Kind Regards

    TheExpert

  • maxsecobj said:

    turn off the endpoint protection - web Control

    https://community.sophos.com/products/unified-threat-management/f/52/t/75973

    also seeing the same issue reported on the SPiceworks forum

    In the thread you've linked here there's no information about high CPU load. My Endpoint Security ist working without the issues discussed in this thread.

    Kind Regards

    TheExpert

  • Im on 9.401-11 

    My CPU is at 3%

    Firewall with 10 Rules

    IPS

    9 NAT rules

    5 VLANS

    Web filtering enabled

    Network visibility enabled

    Endpoint protection with 8 endpoints

    SSLVPN

    Web Application Firewall with 11 virtual servers

    A/V and Antispyware. 

    I have a Core2Duo 1.86Ghz machine and 6GB ram. I've never seen the CPU spike.

    I Also have a esxi based VM of UTM 9.4 running in a sandbox with 2vcpus and 2gb ram, that also is running at 4% cpu usage with 5 features enabled.

    --
    SCA/UTM/XG  Sophos Platinum Partner

  • If you have Endpoint installed on any PCs or servers, do yourself a favor and disable the Endpoint Web Control then wait a couple minutes and run ATOP again and see where your httpproxy CPU is sitting. I'm betting it is related to that. It was for me. Since disabling Endpoint Web Control, everything is normal.

    Endpoint Protection -> Web Control -> Global and disable.

  • NashBrydges said:

    If you have Endpoint installed on any PCs or servers, do yourself a favor and disable the Endpoint Web Control then wait a couple minutes and run ATOP again and see where your httpproxy CPU is sitting. I'm betting it is related to that. It was for me. Since disabling Endpoint Web Control, everything is normal.

    Endpoint Protection -> Web Control -> Global and disable.

    After updating to 9.401-11 the CPU load was still near to 100%. Now, after deactivating Endpoint Web Control the CPU load decreased to normal state. Thank you for your help. What's going wrong in UTM 9.4 with the Endpoint Web Control?
    But now my endpoints don't have Web Control when they're out of my protected network [:(]. Does Sophos know about this issue?

    Kind Regards

    TheExpert

  • Yeah, unfortunately updating to 9.401-11 didn't help. As to whether Sophos knows of this issue, if they monitor these forums they do. But I haven't opened a support request with them since I'm running the Home version.

    You should know that if you eventually plan to upgrade to Sophos XG Home, you will no longer have the endpoint protection included with the UTM. If you want to retain Sophos for Endpoint, you'll have to purchase their Cloud Endpoint product. 

  • Hi TheExpert,

    this is an Bug, relatd by defective broker Servers from sophos. The Endpoints bihind your sophos will connect to the broker hosts, when you have webprotection from the endpoints controlled by the UTM directly or via Sophos Enterprise Console.

    When you show into your proxy log, you will find massive connections to http://hostnameofyourutminendpontprotectionadvancedtab.broker.sophos.com/ with an 500 or 503 error.

    This connections bring your http proxy to 100% CPU load. 

    Sophos is troubleshooting this bug at the moment, but it is not fixed yet.

    You can block the broker server traffic at the affected filter action in your webprotection like this:

    Disable Filter Action exceptions with the broker regex!!

    This will bring your UTM back to normal CPU usage Level.

    Setting an transparent proxy exception for the UTM Broker Hostname does not help, the Proxy is ignoring this exception. :(

    I have found this bug and can reproduce this on any UTM with 9.4-009 and Endpoints behind the UTM communicates with an broker server, that distributes defective data (HTTP 500 / 503 error). 

    A Bugfix is not available, but this workaround should help.

    Cheers Andreas

     

    UTM SCE/SCA | Endpoint SCE