proxyworker high CPU usage

dawid_chrzan · ‎01-15-2016

Hi

to begin with - i am new to Fortigate :)

We have 90D in test lab with one laptop for now.

Firmware Versionv5.2.5,build701

WAN connection is 100mbps.

When downloading - one http session - big file 650MB tar.gz file CPU of our fortigate goes 95-99%.

diag sys top - show that it is proxyworker that consumes all of cpu

I use web filter default profile.

Is it normal that cpu is so high ?

Danilo_Mastantuono · ‎01-15-2016

Hi Dawid,

I remember that I had a similar error when I had upgraded to firmware 5.2.5.

Do you have policies using SSL Inspection Profile with Full SSL Inspection and inspecting all ports?

I could solve this issue changing my profile to:

Inspection Method: SSL certificate Inspection

These setting are located in Policy & Objects -> SSL Inspection.

I did not receive any errors and high CPU after doing this.

dawid_chrzan · ‎01-17-2016

Hi

regardles what SSL Inspection Profile i use - certificate-inspection or deep-inspection - it is the same CPU effect 99%.

It does not affect CPU even i turn OFF SSL Inspection at all.

What doese make a difference is turning OFF web fitler.

dawid_chrzan · ‎01-18-2016

Today i noticed that when i turn OFF all except Webfilter in Policy

and start to download 1,4GB TAR.GZ file - then CPU is 99%

but when i start to download 1,4GB text file = cpu is 5%

tgo · ‎03-23-2016

I have also the same problem.

proxyworker is crashed periodically. (cpu util is also almost 100%)

Did you solve the problem?

If so, Please let me know.

Gianluca_Caldi · ‎03-23-2016

Hi,

we got exactly the same issue on our "old" 300C and 60C. After a lot of investigation with Fortinet technicians on site we discovered that the issue is linked to SSL deep inspection because some of the encryption/decryption algorithms for TLS 1.2 cannot be offloaded to the hardware (CP6 on the FGT300C). As most of the web sites is moving to more secure encryption (meaning longer keys) the old boxes are no more able to manage it on the CP and have to manage it via CPU.

You can look at the "top visited" sites and have a look at which algorith is negotiated. As an example one of our top-most site was "live.com" and here TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is used but:

on the FG300C platform, AES256 can be offloaded, but the hash algorithm (SHA384) will be performed in CPU. on the FGT60C platform, there is no hardware acceleration modules, so AES256, SHA384 will be performed in CPU.

Bottom line: boxers with no hardware acceleration or with old CP processors are not able to use the hardware acceleration anymore with the new crypto keys. No way to resolve this except for disabling the SSL deep inspetion or moving to some "faster" box until fortinet will come up with new models able to manage the new encryption leves.

We got months to go till the end of this issue (and a lot of customer screams) so I hope this can be of help for you to save time and efforts...

Bye

Gianluca

FGT: 50E,100D, 200D, 600D
FMG: VM64

FAZ: VM64

tgo · ‎03-23-2016

we have 310B device.

we tried to disable the SSL deep inspection but problem is not solved.

we also patched fortiOS5.2.6 to solve this problem but it was not solved.

proxyworker process is crashed periodically(3~4 times in an hour) and internet is stopped at that moment.

After a few seconds internet is reconnected normally. (it seems that crashed proxyworker process is relaunched automatically)

Gianluca_Caldi · ‎03-23-2016

Hi,

I checked our documentation. We had the exact same issue on our 300C using 5.2.5. This behaviour was recognized has a bug (proxyworker stucking cpu to 100% and continuosly restarting) and was fixed in 5.2.6. It's not related to ssl deep inspection (we had other issues with this...) so sorry for having you mis-headed. We solved the issue with the release of 5.2.6 (you also see some proxyworkes issue addressed in this release) so.. no idea why the upgrade didn't fixed it for you.

Bye

Gianluca

FGT: 50E,100D, 200D, 600D
FMG: VM64

FAZ: VM64