High CPU usage on ProxySG when used behind a Load Balancer.
search cancel

High CPU usage on ProxySG when used behind a Load Balancer.

book

Article ID: 169855

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500 SG-300 SG-600 Intelligence Services SG-510 SG-9000 SG-900 SG-S500 SG-S400 SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

Edge SWG (ProxySG) is experiencing high CPU loads even though throughput on the device is relatively low.

Environment

Multiple Edge SWGs (ProxySG) sitting behind a load balancer and configured to share connections using a round robin algorithm.

Cause

Lack of affinity on the load balancers.

Resolution

Analysis showed that the SSL session cache on the Edge SWGs (ProxySG) was full, further analysis showed that the reason the cache was filling up was that the load balancers were not sending users back to the same Edge SWG (ProxySG), but moving them from one proxy to another. As a result, the Edge SWG (ProxySG) was continuously having to, not only recreate new entries in the SSL session cache but complete a full SSL handshake as opposed to using the Session ID, as the original entries are invalidated once the user is moved to a different Edge SWG (ProxySG).

The SSL session cache is used to help reduce CPU load on the Edge SWG (ProxySG), however, it relies heavily on the fact that each connection can be uniquely identified (the session ID) and reused, (see RFC5246 for details on Session ID). If the load balancers are moving users between proxies we negate the efficiency of the session cache and this results in higher CPU and slower browsing speeds for the users.

To prevent this, load balancers should be configured so that the same user is always sent to the same Edge SWG (ProxySG) for as long as possible.

Currently the size of the SSL session cache is fixed and based on the specific model of Edge SWG (ProxySG), the amount of memory dedicated to the SSL session cache is based on the amount of memory the Edge SWG (ProxySG) has installed, for example, a S500-10 will have approximately 110K of memory assigned to the session cache whereas the S500-30 will have approximately 220K.

Entries in the session cache have a time to live for 1 hour, again this setting cannot be modified.