FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager
Article Id 195619

Description
This article explains why SSL VPN in web mode use many CPU cycles or allocate a high amount of memory.

Using SSL VPN in web mode is expected to allocate a lot of CPU and memory resources.
The SSL VPN web mode was designed as a short term fall back solution, in case SSL VPN tunnel mode cannot be used.

A high resource allocation occurs due to the "guacd" process that needs to parse the configured protocols (i.e. RDP or HTTPS) into a HTML5 stream in order to present them the client. This process of converting other protocols into images is very resource intensive in terms of CPU and memory.

The performance of the guacd process can be observed with several commands, for example:

# diagnose sys top-summary
# diagnose sys top

These commands for listing active processes show that a lot of CPU or memory is used by the guacd processes.
In this case migrate the users to tunnel mode instead and limit the amount of SSL VPN web mode users.

Each process will allocate per default about 30-90 MB and under load up to 150MB or more.

And example output of:

# diagnose sys top-summary

   PID      RSS   CPU% ^MEM%   FDS     TIME+  NAME
 * 195       1G   39.7 14.8   862  00:51.36  guacd [x33]
    10624    75M   12.7  0.9    37  00:07.89  guacd
    10626    41M    0.2  0.5    37  00:01.15  guacd
    10627    53M    0.2  0.7    37  00:01.82  guacd
    10628    29M    0.0  0.4    37  00:00.49  guacd
    10629    62M    0.2  0.8    37  00:02.97  guacd
    10630    42M    0.4  0.5    37  00:00.85  guacd
    10641    59M    0.4  0.7    37  00:01.65  guacd
    10657    35M    0.0  0.4    37  00:00.80  guacd
    10662    40M    0.0  0.5    37  00:00.77  guacd
    10663    65M    0.4  0.8    37  00:01.58  guacd
    10668    53M    8.5  0.7    37  00:02.23  guacd
    8634     27M    0.0  0.4    31  00:00.25  guacd
    10685    30M    0.2  0.4    37  00:00.57  guacd
    10696    28M    0.0  0.4    37  00:00.47  guacd
    10698    32M    1.8  0.4    37  00:00.46  guacd
    3151     30M    0.0  0.4    31  00:00.27  guacd
    10704    28M    3.9  0.4    37  00:00.52  guacd
    10703    33M    1.1  0.4    37  00:00.39  guacd
    10590    41M    0.0  0.5    37  00:01.13  guacd
    10591    51M    0.2  0.6    37  00:01.18  guacd
    10592    46M    0.2  0.6    37  00:01.12  guacd
    10595    61M    0.0  0.8    37  00:01.64  guacd
    10600    54M    0.2  0.7    37  00:01.49  guacd
    10603    79M    0.4  1.0    37  00:03.98  guacd
    10604    35M    0.2  0.4    37  00:00.58  guacd
    10606    47M    1.1  0.6    37  00:01.50  guacd
    10607    79M    2.4  1.0    37  00:02.65  guacd
    10608    40M    0.0  0.5    37  00:00.93  guacd
    10609    85M    1.1  1.1    37  00:02.75  guacd
    10612    31M    0.0  0.4    37  00:00.55  guacd
    10614    67M    2.2  0.8    37  00:02.49  guacd
    10623    66M    1.7  0.8    37  00:03.98  guacd

An example output of:

# diagnose sys top

Run Time:  23 days, 21 hours and 51 minutes
30U, 0N, 23S, 35I, 0WA, 0HI, 12SI, 0ST; 7980T, 881F
           guacd    30909      R      85.0     1.1
           guacd    30139      S       2.0     1.1
           guacd    30592      S       2.0     1.0
           guacd    30724      S       1.0     1.1
           guacd    30672      S       1.0     1.1
           guacd    30177      S       1.0     1.1
           guacd    30884      S       1.0     0.4
           guacd    30315      S       0.0     1.1
           guacd    30127      S       0.0     1.1
           guacd    30115      S       0.0     1.1
           guacd    30023      S       0.0     1.1
           guacd    30078      S       0.0     1.1
           guacd    30298      S       0.0     1.1
           guacd    30006      S       0.0     1.1
           guacd    30260      S       0.0     1.1
           guacd    30218      S       0.0     1.1
           guacd    30179      S       0.0     1.1
           guacd    30039      S       0.0     1.1
           guacd    30568      S       0.0     1.1
           guacd    30351      S       0.0     1.1
           guacd    30380      S       0.0     1.1
           guacd    30355      S       0.0     1.1
           guacd    30331      S       0.0     1.1
           guacd    30128      S       0.0     1.0
           guacd    30259      S       0.0     1.0
           guacd    30300      S       0.0     1.0
           guacd    30229      S       0.0     1.0
           guacd    30040      S       0.0     1.0
           guacd    30936      S       0.0     1.0
           guacd    30545      S       0.0     1.0
           guacd    30053      S       0.0     1.0
           guacd    30444      S       0.0     1.0
           guacd    30940      S       0.0     1.0
           guacd    30370      S       0.0     0.9

As a rough estimate each SSL VPN web mode user will allocate around 100MB of memory when the process is under load.
This usage depends on the traffic, the processed protocol types, the screen resolution of the client, etc.

Depending on the total memory of the device the limits for the maximum amount of SSL VPN web users may therefore vary.

Be aware that this is not a memory leak but expected behaviour.

The guacd processes simply require resources to parse and convert the traffic into HTML5.

Solution
Solutions to avoid a high usage of CPU or memory are to:

- Use tunnel mode.
- Limit the amount of web mode connections.

Due to the required resources this feature is not using large scale or long term.
Long term these SSL clients is configured to use the SSL VPN tunnel mode.
For example remote users can download the Forticlient via SSL VPN web mode and then connect via tunnel mode.


Note.

It is planned to improve this design limitation in future releases.




Contributors