Why is the ProxySG performing poorly with high CPU utilization and "TCP in Livelock" messages in the Event Log?
Livelocks will happen when an interface becomes so saturated with packets that the ProxySG is unable to keep up. For the interface to become saturated, it takes more than a high volume of legitimate connections, it usually involves a network loop. For example, if a policy forwards traffic from proxy 'A' to proxy 'B', and proxy 'B' is configured to forward to proxy 'A', that will generate a loop that will most likely cause one of the interface to go in livelock mode until traffic quiets down.
A routing loop can also be the cause of a livelock. This is far more likely to happen when the proxy is inline on the network. If the proxy is installed between two redundant switches and spanning tree is disable, it could create a network loop. Other possible causes could be denial of service attacks (ping floods for example).
To best way to troubleshoot a livelock issue is to take a packet capture and look for symptoms. Here are a few common symptoms
Lots of duplicate packets (SYN packets are seen more than one) are a good indication that there is a loop on the network
Lots of SYN packets from the same source IP address, on many different destination ports usually indicate that a denial of service attack
Lots of http connections from the same source IP that seems to keep authenticating over and over can mean that a workstation is configured to ignore cookies. This would cause the ProxySG to keep authenticating the same connection non-stop and go into a loop that can result in a livelock (as well as a high CPU usage)
If you have a deployment where a child ProxySG is forwarding all requests to a parent ProxySG then you may be encountering a forwarding loop.
The child ProxySG may have policy similar to the following:
This means all requests will be forwarded to the parent ProxySG.
You may encounter a forwarding loop if a parent ProxySG (or upstream client) sends a request to the child ProxySG because it will be immediately forwarded to the parent, which sends it back to the child, which is sent back to the parent and the process repeats. The symptoms are extreme slowness, high CPU and possibly TCP LiveLock messages in the Event Log.
Policy suggestions to prevent this:
Only forward requests if they come from IP addresses on the child ProxySG network.
Consider creating a policy to Deny connections from any parent proxies.
Imported Document ID: 000013553
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.