Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] HTTP Security Servers consuming all CPU, out of the blue

To: [email protected]
Subject: [FW1] HTTP Security Servers consuming all CPU, out of the blue
From: "Greg Winkler" <[email protected]>
Date: Fri, 31 Aug 2001 11:13:21 -0500
Sender: [email protected]

Beginning this week I have a problem on our two gateways.

Out of the blue, the HTTP security servers will begin consuming all
available CPU on the gateways. This happens at peak browsing times in the
company (around lunch time). Performance drops to the point that browsing
becomes impossible, with the infamous "fw1 cannot connect to www server"
messages being displayed. What I found alarming was that it hit our
European gateway early in the morning (USA time, afternoon their time) and
then hit our USA gateway mid-day that same day.

Both gateways are running FW-1 4.1 SP3 on NT 4.0 SP6a. The gateways are
Compaq dual 500mhz with 512mb RAM. I have increased the number of security
servers from 1 to 2 by adding "80 in.ahhttpd wait -2" to fwauthd.conf. And
also increased the http_buffer_size (16384) in objects.c per a performance
tuning guideline from Checkpoint. Still the problem continues.

I do run several rules that invoke the security servers via http->URI
resources to check for things like code red and filter out streaming media
files. But I've been running these same rules for weeks/years so I'm
puzzled why now all of a sudden the problems are arising. Looking at
performance logs I cannot discern any increase in packets being processed
by the firewall so I don't think it is due to higher loads being placed on
the firewalls than in the past. I'm not saying it isn't but I can't see it
with the performance data I have captured. The only way I've been able to
keep the firewalls running is to disable these rules. The number of
connections averages about 800-1000 without the http->URI resource rules
and 1900-2300 with the rules.

Any suggestions on how to further troubleshoot?


----------------------------------------------------------------------------------------

Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [email protected]
Voice:Fax:================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Nokia 440 how do I get a password?
Next by Date: [FW1] CP 4.0 multiple encryption domain definition
Previous by thread: RE: [FW1] Nokia 440 how do I get a password?
Next by thread: [FW1] CP 4.0 multiple encryption domain definition
Index(es):
- Date
- Thread