This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

afcd cpu usage

First of all sorry for my ignorance but I would like to know what exactly afcd does, I couldn’t find any information about it in the help and the forum. My problem is that it seems to limit my VPN speed by using all the cpu and it would be great if I could do something against it.



This thread was automatically locked due to age.
Parents
  • You can see activity from the "Application Flow Control daemon" in the Application Control and Advanced Threat Protection logs.  Rather than disabling anything, perhaps you could check your logs to see if there are some simple exclusions you can make.  Any luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your response. Meanwhile I know that afcd is the Advanced Threat Protection, in the afc log I see these entries repeating during running speedtest

    2018:04:30-09:35:29 host24 afcd[30817]: WARNING! packet already has AFC mark value (0x000034b6), replacing with 0x0000207c

    If adcd is turned off snort is the limiting factor, it consumes all the CPU while running the test, my maximum speed with L2TP VPN is about 150Mbit. What’s very strange and I can’t find a reason for it is that if I turn IPS off my speed drops to about 30Mbit with very low CPU usage. This is not logical it should be faster, shouldn't it? What am I missing?

Reply
  • Thanks for your response. Meanwhile I know that afcd is the Advanced Threat Protection, in the afc log I see these entries repeating during running speedtest

    2018:04:30-09:35:29 host24 afcd[30817]: WARNING! packet already has AFC mark value (0x000034b6), replacing with 0x0000207c

    If adcd is turned off snort is the limiting factor, it consumes all the CPU while running the test, my maximum speed with L2TP VPN is about 150Mbit. What’s very strange and I can’t find a reason for it is that if I turn IPS off my speed drops to about 30Mbit with very low CPU usage. This is not logical it should be faster, shouldn't it? What am I missing?

Children
  • The "Application Flow Control daemon" (afcd) and Snort are both used to detect undesirable traffic that can be reported in several logs.  Watching the Live Logs of Advanced Threat Protection, Application Control and Intrusion Prevention one at a time to see if there are IPs/subnets you might want to exclude.

    You might want to read threads in the Installation forum that discuss CPU power and the throughput one can expect.  Also, discussions of speed measurement techniques.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I don't have problems with unwanted traffic I just want to maximize my VPN throughput. The logs you mentioned are basically empty, no problem there but when I try to move a large file between a host and a server behind the UTM my speed seems to be limited by the CPU because those two services cause a 100% usage despite the fact that the both the VPN network and IPSec service are on the exception list. As I wrote if I turn snort completely off my speed drops to 30Mbit and that – to me at least – is a mystery.