Created on 03-20-2020 05:04 AM Edited on 06-09-2022 09:20 PM By Anonymous
Description
This article explains why SSL VPN in web mode use many CPU cycles or allocate a high amount of memory.
Using SSL VPN in web mode is expected to allocate a lot of CPU and memory resources.
The SSL VPN web mode was designed as a short term fall back solution, in case SSL VPN tunnel mode cannot be used.
A high resource allocation occurs due to the "guacd" process that needs to parse the configured protocols (i.e. RDP or HTTPS) into a HTML5 stream in order to present them the client. This process of converting other protocols into images is very resource intensive in terms of CPU and memory.
The performance of the guacd process can be observed with several commands, for example:
# diagnose sys top-summary
# diagnose sys top
These commands for listing active processes show that a lot of CPU or memory is used by the guacd processes.
In this case migrate the users to tunnel mode instead and limit the amount of SSL VPN web mode users.
Each process will allocate per default about 30-90 MB and under load up to 150MB or more.
And example output of:
# diagnose sys top-summary
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 195 1G 39.7 14.8 862 00:51.36 guacd [x33]
10624 75M 12.7 0.9 37 00:07.89 guacd
10626 41M 0.2 0.5 37 00:01.15 guacd
10627 53M 0.2 0.7 37 00:01.82 guacd
10628 29M 0.0 0.4 37 00:00.49 guacd
10629 62M 0.2 0.8 37 00:02.97 guacd
10630 42M 0.4 0.5 37 00:00.85 guacd
10641 59M 0.4 0.7 37 00:01.65 guacd
10657 35M 0.0 0.4 37 00:00.80 guacd
10662 40M 0.0 0.5 37 00:00.77 guacd
10663 65M 0.4 0.8 37 00:01.58 guacd
10668 53M 8.5 0.7 37 00:02.23 guacd
8634 27M 0.0 0.4 31 00:00.25 guacd
10685 30M 0.2 0.4 37 00:00.57 guacd
10696 28M 0.0 0.4 37 00:00.47 guacd
10698 32M 1.8 0.4 37 00:00.46 guacd
3151 30M 0.0 0.4 31 00:00.27 guacd
10704 28M 3.9 0.4 37 00:00.52 guacd
10703 33M 1.1 0.4 37 00:00.39 guacd
10590 41M 0.0 0.5 37 00:01.13 guacd
10591 51M 0.2 0.6 37 00:01.18 guacd
10592 46M 0.2 0.6 37 00:01.12 guacd
10595 61M 0.0 0.8 37 00:01.64 guacd
10600 54M 0.2 0.7 37 00:01.49 guacd
10603 79M 0.4 1.0 37 00:03.98 guacd
10604 35M 0.2 0.4 37 00:00.58 guacd
10606 47M 1.1 0.6 37 00:01.50 guacd
10607 79M 2.4 1.0 37 00:02.65 guacd
10608 40M 0.0 0.5 37 00:00.93 guacd
10609 85M 1.1 1.1 37 00:02.75 guacd
10612 31M 0.0 0.4 37 00:00.55 guacd
10614 67M 2.2 0.8 37 00:02.49 guacd
10623 66M 1.7 0.8 37 00:03.98 guacd
An example output of:
# diagnose sys top
Run Time: 23 days, 21 hours and 51 minutes
30U, 0N, 23S, 35I, 0WA, 0HI, 12SI, 0ST; 7980T, 881F
guacd 30909 R 85.0 1.1
guacd 30139 S 2.0 1.1
guacd 30592 S 2.0 1.0
guacd 30724 S 1.0 1.1
guacd 30672 S 1.0 1.1
guacd 30177 S 1.0 1.1
guacd 30884 S 1.0 0.4
guacd 30315 S 0.0 1.1
guacd 30127 S 0.0 1.1
guacd 30115 S 0.0 1.1
guacd 30023 S 0.0 1.1
guacd 30078 S 0.0 1.1
guacd 30298 S 0.0 1.1
guacd 30006 S 0.0 1.1
guacd 30260 S 0.0 1.1
guacd 30218 S 0.0 1.1
guacd 30179 S 0.0 1.1
guacd 30039 S 0.0 1.1
guacd 30568 S 0.0 1.1
guacd 30351 S 0.0 1.1
guacd 30380 S 0.0 1.1
guacd 30355 S 0.0 1.1
guacd 30331 S 0.0 1.1
guacd 30128 S 0.0 1.0
guacd 30259 S 0.0 1.0
guacd 30300 S 0.0 1.0
guacd 30229 S 0.0 1.0
guacd 30040 S 0.0 1.0
guacd 30936 S 0.0 1.0
guacd 30545 S 0.0 1.0
guacd 30053 S 0.0 1.0
guacd 30444 S 0.0 1.0
guacd 30940 S 0.0 1.0
guacd 30370 S 0.0 0.9
As a rough estimate each SSL VPN web mode user will allocate around 100MB of memory when the process is under load.
This usage depends on the traffic, the processed protocol types, the screen resolution of the client, etc.
Depending on the total memory of the device the limits for the maximum amount of SSL VPN web users may therefore vary.
Be aware that this is not a memory leak but expected behaviour.
The guacd processes simply require resources to parse and convert the traffic into HTML5.
Solution
Solutions to avoid a high usage of CPU or memory are to:
- Use tunnel mode.
- Limit the amount of web mode connections.
Due to the required resources this feature is not using large scale or long term.
Long term these SSL clients is configured to use the SSL VPN tunnel mode.
For example remote users can download the Forticlient via SSL VPN web mode and then connect via tunnel mode.
Note.
It is planned to improve this design limitation in future releases.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.