Description

This article describes why SSL VPN in web mode uses many CPU cycles or allocates a high amount of memory.

Using SSL VPN in web mode is expected to allocate a lot of CPU and memory resources.
The SSL VPN web mode was designed as a short-term fallback solution in case the SSL VPN tunnel mode cannot be used.

A high resource allocation occurs due to the 'guacd' process that needs to parse the configured protocols (i.e., RDP or HTTPS) into an HTML5 stream to present them to the client. This process of converting other protocols into images is very resource-intensive in terms of CPU and memory.

The performance of the guacd process can be observed with several commands, for example:

diagnose sys top-summary
diagnose sys top

These commands for listing active processes show that a lot of CPU and memory is used by the guacd processes.
In this case, migrate the users to tunnel mode instead and limit the number of SSL VPN web mode users.

Each process will allocate, by default, about 30-90 MB and, under load, up to 150 MB or more.

And an example output of:

diagnose sys top-summary

   PID      RSS   CPU% ^MEM%   FDS     TIME+  NAME
 * 195       1G   39.7 14.8   862  00:51.36  guacd [x33]
    10624    75M   12.7  0.9    37  00:07.89  guacd
    10626    41M    0.2  0.5    37  00:01.15  guacd
    10627    53M    0.2  0.7    37  00:01.82  guacd
    10628    29M    0.0  0.4    37  00:00.49  guacd
    10629    62M    0.2  0.8    37  00:02.97  guacd
    10630    42M    0.4  0.5    37  00:00.85  guacd
    10641    59M    0.4  0.7    37  00:01.65  guacd
    10657    35M    0.0  0.4    37  00:00.80  guacd
    10662    40M    0.0  0.5    37  00:00.77  guacd
    10663    65M    0.4  0.8    37  00:01.58  guacd
    10668    53M    8.5  0.7    37  00:02.23  guacd
    8634     27M    0.0  0.4    31  00:00.25  guacd
    10685    30M    0.2  0.4    37  00:00.57  guacd
    10696    28M    0.0  0.4    37  00:00.47  guacd
    10698    32M    1.8  0.4    37  00:00.46  guacd
    3151     30M    0.0  0.4    31  00:00.27  guacd
    10704    28M    3.9  0.4    37  00:00.52  guacd
    10703    33M    1.1  0.4    37  00:00.39  guacd
    10590    41M    0.0  0.5    37  00:01.13  guacd
    10591    51M    0.2  0.6    37  00:01.18  guacd
    10592    46M    0.2  0.6    37  00:01.12  guacd
    10595    61M    0.0  0.8    37  00:01.64  guacd
    10600    54M    0.2  0.7    37  00:01.49  guacd
    10603    79M    0.4  1.0    37  00:03.98  guacd
    10604    35M    0.2  0.4    37  00:00.58  guacd
    10606    47M    1.1  0.6    37  00:01.50  guacd
    10607    79M    2.4  1.0    37  00:02.65  guacd
    10608    40M    0.0  0.5    37  00:00.93  guacd
    10609    85M    1.1  1.1    37  00:02.75  guacd
    10612    31M    0.0  0.4    37  00:00.55  guacd
    10614    67M    2.2  0.8    37  00:02.49  guacd
    10623    66M    1.7  0.8    37  00:03.98  guacd

An example output of:

diagnose sys top

Run Time:  23 days, 21 hours and 51 minutes
30U, 0N, 23S, 35I, 0WA, 0HI, 12SI, 0ST; 7980T, 881F
           guacd    30909      R      85.0     1.1
           guacd    30139      S       2.0     1.1
           guacd    30592      S       2.0     1.0
           guacd    30724      S       1.0     1.1
           guacd    30672      S       1.0     1.1
           guacd    30177      S       1.0     1.1
           guacd    30884      S       1.0     0.4
           guacd    30315      S       0.0     1.1
           guacd    30127      S       0.0     1.1
           guacd    30115      S       0.0     1.1
           guacd    30023      S       0.0     1.1
           guacd    30078      S       0.0     1.1
           guacd    30298      S       0.0     1.1
           guacd    30006      S       0.0     1.1
           guacd    30260      S       0.0     1.1
           guacd    30218      S       0.0     1.1
           guacd    30179      S       0.0     1.1
           guacd    30039      S       0.0     1.1
           guacd    30568      S       0.0     1.1
           guacd    30351      S       0.0     1.1
           guacd    30380      S       0.0     1.1
           guacd    30355      S       0.0     1.1
           guacd    30331      S       0.0     1.1
           guacd    30128      S       0.0     1.0
           guacd    30259      S       0.0     1.0
           guacd    30300      S       0.0     1.0
           guacd    30229      S       0.0     1.0
           guacd    30040      S       0.0     1.0
           guacd    30936      S       0.0     1.0
           guacd    30545      S       0.0     1.0
           guacd    30053      S       0.0     1.0
           guacd    30444      S       0.0     1.0
           guacd    30940      S       0.0     1.0
           guacd    30370      S       0.0     0.9

As a rough estimate, each SSL VPN web mode user will allocate around 100 MB of memory when the process is under load.
This usage depends on the traffic, the processed protocol types, the screen resolution of the client, etc.
Depending on the total memory of the device, the limits for the maximum number of SSL VPN web users may therefore vary.

Be aware that this is not a memory leak but expected behavior.

The guacd processes simply require resources to parse and convert the traffic into HTML5.

Scope

FortiGate.

Solution

Solutions to avoid a high usage of CPU or memory are to:

• Use tunnel mode.
• Limit the number of web mode connections.

Due to the required resources, this feature is not used on a large scale or long term.
Long term, these SSL clients are configured to use the SSL VPN tunnel mode.
For example, remote users can download the FortiClient via SSL VPN web mode and then connect via tunnel mode.

Note: It is planned to improve this design limitation in future releases.

SSL VPN web mode is not supported on FortiGate 40F, 60F, and 90G series models; a few affected models are listed here: Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models...

For FortiGate 50G, 70G, and 90G models, the SSL VPN has been removed in v7.4.8: SSL VPN not supported on FortiGate G-series Entry-Level models