ProxySG/ASG responding slowly with user traffic after 6.7.x upgrade
Last Updated March 01, 2019
ProxySG/ ASG may respond slowly 6.7.x upgrade for the first time. But without any configuration change when downgraded back to older SGOS (i.e 6.5.x or 6.6.x ) version this issue is resolved.. This is observed when ProxySG / ASG has an active network interface (NIC) where use traffic is intercepted and the manufacturer of that NIC in 'Intel' and one of the following conditions are true
one or more VLAN is configured on that NIC.
that interface intercepts packet transparently (i.e WCCP / PBR) and has bypass packets.
that interface is used for bridging packets (i.e interface is a member of passthru).
This problem is observed due to incorrect LRO (large receive offload) on VLAN , bypass & bridged packets by the Intel NIC card driver. LRO is a new feature of SGOS 6.7.x and enabled by default upon SGOS 6.7.x upgrade . More information on LRO can be found here.
This is a known bug # 258918 . More information can be found under latest release notes of SGOS 6.7.x . Also release notes from Intel can be found here , which confirms LRO is incompatible with "routing/ip forwarding , bridging".
Bug # 258918 has been addressed on SGOS 220.127.116.11 and later SGOS versions. On these SGOS version CLI command has been added to make LRO as a configurable option. After upgrading on these SGOS version to obtain this fix , apply below CLI commands
#conf t #(config)tcp-ip tcp-lro disable
Note - This CLI command is a 'hidden CLI command' and will not be displayed under available CLI commands with '?' when this change is made to SG, it is stored in configuration permanently and preserved upon reboot or upgrade to higher SGOS versions.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe