This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

httpproxy High CPU Utilization

Hi All,

For the last couple of days, my CPU utilization has been hovering between 20% and 98% with no web traffic of any kind happening. Running TOP shows that the httpproxy is what is eating up all of the CPU. This initially started after I updated to 9.400-9 on March 30th. At first there were a few blips throughout the day however now this is a consistently high CPU% for most of the day.

Here is what I've done so far...

  • Restarting httpproxy does not help. If I turn off Web Filtering then CPU goes back to normal (normal for me is between 0% and 3%)
  • Loaded the db to memory (cc set http sc_local_db mem)
  • Shortened my log retention window from indefinite to 7 days
  • Rebuilt my postgresql
  • Running in HA so swapped the master node from Node 1 to Node 2 and same issue appears (was trying to see if it was hardware related)
  • Rebooting also isn't fixing the issue

This is the CPU% when I started seeing the issue...

This is today's CPU%...

Any thoughts as to what might be happening? I wasn't seeing this behaviour at all before the last update.

I'm running Sophos Home UTM in HA (Active-Passive) on a pair of Dell Poweredge R210II each with E3-1270 CPU, 8GB RAM, and 500GB HDD.



This thread was automatically locked due to age.
Parents
  • So after a few days of trying to figure out what was driving such a high CPU %, I've finally got it! I have 10 endpoints with Sophos Endpoint Protection setup on the UTM with 3 of them having Web Control enabled. As soon as I disable Web Control, CPU usage returns to previous levels. Enable Web Control and CPU % shoots up to 30% or more...and this is with only 3 endpoints.

    The interesting thing is that I've always had those same endpoints protected so something has changed with how the Endpoint Protection interacts with Sophos UTM.

  • Longtime issue..what you have to do is tell the utm to bypass web filtering for the clients running endpoint control or the utm scans everything TWICE along with the scanning done by the endpoints.  This means the UTM is basically bypassed for sophos endpoints behind a utm.  The way to do this is go into the utm webadmin--endpoint protection--web control--advanced and uncheck scan traffic on both gateway and endpoint.  Hit apply and see if this help the cpu usage issue.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply
  • Longtime issue..what you have to do is tell the utm to bypass web filtering for the clients running endpoint control or the utm scans everything TWICE along with the scanning done by the endpoints.  This means the UTM is basically bypassed for sophos endpoints behind a utm.  The way to do this is go into the utm webadmin--endpoint protection--web control--advanced and uncheck scan traffic on both gateway and endpoint.  Hit apply and see if this help the cpu usage issue.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Children
No Data