Web Filtering is causing 100% CPU load and interrupts internet connection [SG310]

Hello everyone!

Today I decided to create this posting because we have an erratically recurring problem:

We have a UTM 9 SG310 as corporate solution.

Since 7th January, roughly around 9 and 15 we have daily interruptions.
The internet connection drops on all lines, the process httpprox spikes up to 380% and makes the CPU busy at 100%.

 

 

I noticed it happens at the same time when the "network protection reporting" shows a very high amount of violations:

 

I saw the incoming traffic is a bit higher than usually:

When the internet connection drops and I turn off the Web Filtering, the connections comes back immediately.

This brings me to the quqestion what I can do know.

  • How can I figure out what the violations in the Network Protection detail are? I saw it's only possible to sort by amount per day.
  • Where can I see the total amount of requests e.g. per minute or per hour, so kinda a different diagram?
  • Do I have any other possibilities to check what's wrong?

     

I need a way to narrow it down better.

Do youo have any ideas?

Many thanks in advance for the help!

Dennis

  • Hi Dennis.  UTM reporting isn't granular enough to check the total requests to the web proxy by minute, by hour, etc.  Likely you would need iView to see that kind of data.  

    One of two things is happening.  Either there is sufficient requests going through the http proxy to cause CPU to spike to 100% (highly unlikely), or there's something going on which which support should take a look at.  

    What firmware version are you on?  Are you usual dual or single engine A/V scanning in the policies?  If single, what engine is displayed under Management > System Settings > Scan Settings?

    Tim

  • In reply to TimHansen:

    Hey Tim,

    thank you for your answer.

    We are not using Email Protection so I guess we are using 'single AV'?

    Under Management > System Settings > Scan Settings we are using as 'Antivirus Engine Preferences' the Scan Engine "Sophos"

    Our UTM 9 Version information are:

    • Firmware version: 9.510-5
    • Pattern version: 156420

    The most of the day the CPU is around 4-6 percent, RAM around 15% and the Data Disk also <10%.
    So strange things are happening :)

    I hope this helps to narrow down the problem even further.

    Many thanks in advance again! :)

    Best Regards
    Dennis

  • In reply to DennisSar:

    Actually when I said single or dual scan, I was referring to inside web protection.  If you look at the Filter Action in one of your Policies, you can see under Antivirus there's an option to select Single scan or Dual scan. 

    If you're using single scan, go back to Management > System Settings > Scan Settings and change the single scan engine to Avira.  If you notice that this doesn't change the behavior, give us a call to open a support case.   There's no way CPU should go from 4-6% up to 100%. 

    Tim

  • In reply to TimHansen:

    We are not using any policies in the Web Protection > Web Filtering.

    I also changed the Scan engine in Management > System Settings > Scan Settings from "Sophos" to "Avira" without positiv result.

    But -regardless of the scan engine- it's even worse now!
    When I turn on the Web Filtering the CPU goes up to 100% (web gui) immediately and interrupts the internet connection.

     

    So yeah, what do I need to do to raise a support request?
    Can you get in touch with me via my e-mail addy I'm using here or is there a portal (this is the first time we have to contact you - what's actually good ;) )

     

    Many thanks again!

    Dennis

  • In reply to DennisSar:

    Dennis, you can raise a support case through here https://secure2.sophos.com/en-us/support/open-a-support-case.aspx, which will automatically generate a case on our end.  An engineer will reach out to you in turn.  Alternatively you can use the "For Critical Cases" option on the left of that page to find out the phone number for technical support in your region.  Likely they will ask for a serial number of the appliance in order to look up your account, so have that ready. 

    Tim