Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dawid_chrzan
New Contributor

proxyworker high CPU usage

Hi

to begin with - i am new to Fortigate :)

We have 90D in test lab with one laptop for now.

Firmware Versionv5.2.5,build701

WAN connection is 100mbps.

When downloading - one http session - big file 650MB tar.gz file  CPU of our fortigate goes 95-99%.

 

diag sys top - show that it is proxyworker that consumes all of cpu

I use web filter default profile.

 

Is it normal that cpu is so high ?

7 REPLIES 7
Danilo_Mastantuono
New Contributor

Hi Dawid,

 

I remember that I had a similar error when I had upgraded to firmware 5.2.5.

Do you have policies using SSL Inspection Profile with Full SSL Inspection and inspecting all ports?

I could solve this issue changing my profile to:

 

Inspection Method: SSL certificate Inspection 

These setting are located in Policy & Objects -> SSL Inspection.

 

I did not receive any errors and high CPU after doing this.

 

dawid_chrzan

Hi

regardles what SSL Inspection Profile i use - certificate-inspection or deep-inspection - it is the same CPU effect 99%.

It does not affect CPU even i turn OFF SSL Inspection at all.

 

What doese make a difference is turning OFF web fitler.

dawid_chrzan
New Contributor

Today i noticed that when i turn OFF all except Webfilter in Policy

and start to download 1,4GB TAR.GZ file - then CPU is 99%

but when i start to download 1,4GB text file = cpu is 5%

tgo

I have also the same problem.

proxyworker is crashed periodically. (cpu util  is also almost 100%)

Did you solve the problem?

If so, Please let me know.

Gianluca_Caldi
New Contributor

Hi,

 

we got exactly the same issue on our "old" 300C and 60C. After a lot of investigation with Fortinet technicians on site we discovered that the issue is linked to SSL deep inspection because some of the encryption/decryption algorithms for TLS 1.2 cannot be offloaded to the hardware (CP6 on the FGT300C). As most of the web sites is moving to more secure encryption (meaning longer keys) the old boxes are no more able to manage it on the CP and have to manage it via CPU.

 

You can look at the "top visited" sites and have a look at which algorith is negotiated. As an example one of our top-most site was "live.com" and here TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is used but:

 

on the FG300C platform, AES256 can be offloaded, but the hash algorithm (SHA384) will be performed in CPU. on the FGT60C platform, there is no hardware acceleration modules, so AES256, SHA384 will be performed in CPU.

 

Bottom line: boxers with no hardware acceleration or with old CP processors are not able to use the hardware acceleration anymore with the new crypto keys. No way to resolve this except for disabling the SSL deep inspetion or moving to some "faster" box until fortinet will come up with new models able to manage the new encryption leves.

 

We got months to go till the end of this issue (and a lot of customer screams)  so I hope this can be of help for you to save time and efforts...

 

Bye

Gianluca

FGT: 50E,100D, 200D, 600D
FMG: VM64

FAZ: VM64

FGT: 50E,100D, 200D, 600DFMG: VM64 FAZ: VM64
tgo

we have 310B device.

we tried to disable the SSL deep inspection but problem is not solved.

we also patched fortiOS5.2.6 to solve this problem but it was not solved.

proxyworker process is crashed periodically(3~4 times in an hour) and internet is stopped at that moment.

After a few seconds internet is reconnected normally. (it seems that crashed proxyworker process is relaunched automatically)

 

 

Gianluca_Caldi

Hi,

I checked our documentation. We had the exact same issue on our 300C using 5.2.5. This behaviour was recognized has a bug (proxyworker stucking cpu to 100% and continuosly restarting) and was fixed in 5.2.6. It's not related to ssl deep inspection (we had other issues with this...) so sorry for having you mis-headed. We solved the issue with the release of 5.2.6 (you also see some proxyworkes issue addressed in this release) so.. no idea why the upgrade didn't fixed it for you.

Bye

Gianluca

FGT: 50E,100D, 200D, 600D
FMG: VM64

FAZ: VM64

FGT: 50E,100D, 200D, 600DFMG: VM64 FAZ: VM64
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors