[ASG 7.304] Timeouts in Webadmin; machine overloaded?

thtran · #1 (**permalink**) 06-17-2009, 03:55 PM

Hello,

I have one Astaro, running ASG v7.403. It's a normal desktop-pc with a Pentium 4 (3,2 GHz), and 3 GB RAM (currently, about 35% RAM in use). (single harddrive, no RAID) It never swaps. Nevertheless, it looks like it's sometimes overloaded.
Occasionally, I get the message

Do you want the current request to be aborted?

When that happens, the WebAdmin shows a cpu-load of more than 90%.
I started an ssh-session and launched "atop". Which sometimes shows the CPU-loads in red.

Here's an overview of the configuration:

This machine has been running since 2005 (or longer)
5 physical network interfaces
almost no remote users (only admins) normally not more than 2 admins logged in at the same time.
988 host definitions, 245 service definitions
161 packet filter rules
2 active Masquerading rules, 31 active NAT rules
IPS active with 4140 of 7059 patterns
- Watching 1 local network with about 250 nodes
- Anti-DoS/Flooding active: "Use TCP SYN Flood Protection" only
- Anti-Portscan active, action: drop traffic, limit logging
- 11 HTTP Servers, 3 DNS server and 3 SMTP servers registered under IPS / Advanced
- No modified IPS rules
SMTP proxy active, but no anti-virus or anti-spam. All mails (if any) are cached and forwarded to another machine for filtering. Normally, the dashboard shows: "0 emails processed".
Web proxy active. 7 HTTP/S profiles + default profile
VoIP and IM/P2P-Security is off.
3 IPSec Site2site VPN-connections, no SSL Site2site-VPN
171 local users (used mainly for PPTP-VPN); normally never more than 5 concurrent PPTP-connections
IPSec VPN, OpenVPN and PPTP deamon log are transmitted to remote syslog server

Statistics for today shows: (it's 16:25 now, working hours are almost over for most employees)

53 600 packets filtered
4 100 URLs filtered; 287 475 http-requests served today

Is that too much for this machine?
What could I do to substantially reduce the load on the server?
I have 75 packet filter rules for the VPN-users to make sure they can only reach those machines which are needed. Of course, everything else is blocked. Would it help to create some groups under Users / Groups and use these groups for the packet filter rules? I estimate that I could reduce the 75 rules to 25.

If anybody has some more ideas, I'd really appreciate that.
Would it help to replace the normal harddrive with a RAID 0?
Or do I need a faster server?

Hon.

BAlfson · #2 (**permalink**) 06-17-2009, 06:36 PM

On the 'Global' tab of 'Intrusion Protection' what do you have in 'Local networks'?

The next time you get a heavy load, SSH into the box, run top and touch M< (uppercase "m" then shift ",") to have the busiest process listed at the top.

Cheers - Bob

BarryG · #3 (**permalink**) 06-17-2009, 10:33 PM

M sorts by memory usage.

Barry

Billybob · #4 (**permalink**) 06-18-2009, 01:39 AM

Special shortcut by bob, m for memory and then < to move it one field over for cpu but all that matters is that it works

thtran · #5 (**permalink**) 06-18-2009, 09:33 AM

Quote:

Originally Posted by BAlfson

On the 'Global' tab of 'Intrusion Protection' what do you have in 'Local networks'?

The next time you get a heavy load, SSH into the box, run top and touch M< (uppercase "m" then shift ",") to have the busiest process listed at the top.

I just learned something new!

In top, you can type "O" (capital o) to get a "sort-order-menu". Then type "k" + [Return] to sort by cpu-usage. But that's the default sort order anyway, so there's no need to do that

Well, "M" + "<" doesn't seem to work for me.

The network watched by IPS is the network of the "Internal" interface. It's a Class B network but there are only about 250 nodes in it. OTOH, there are thousands of nodes in other locations of our company so sometimes, there's a lot of traffic to watch over ...

[Update] O.k., now the cpu is sweating again and top says mdw_daemon.ply and confd.plx are each eating more than 40%. All I did was delete some (about 10) network-definitions and changed some comments. But that's more than 2 hours ago. There are no other ASG-admins logged in WebAdmin right now and the "w" and "who" commands say there's nobody logged in on this machine than me.

Hon

BAlfson · #6 (**permalink**) 06-18-2009, 01:39 PM

It doesn't seem possible that the CPU load was caused by what you did two hours earlier. I'll be interested to learn what Astaro says is the fix for this.

thtran · #7 (**permalink**) 06-22-2009, 11:32 AM

Update: I've found something else: Uptime of this machine is 8 days. I started top and sorted by CPU-time. It says:

Code:

660:06 mdw_daemon.plx
 92:52 acc-agent.plx
 81:06 dns-resolver.pl
 57:30 snort_inline
 47:14 confd.plx
 44:20 aua_edirsync.pl
 29:49 selfmonng.plx
 19:34 syslog-ng
 18:59 ulogd
 12:21 confd.plx
 11:10 httpproxy

I'll contact our Astaro-support. But I'd appreciate if some other Astaro-admins told me how much CPU-time your Astaros are using for "mdw_daemon.plx" and how many definitions you have.

Hon.

BarryG · #8 (**permalink**) 06-22-2009, 09:30 PM

7.402, up 13 days, not many definitions, not using proxies except SOCKS, LOTS of P2P traffic:
649:37.64 afcd
311:48.95 snort_inline
135:30.79 selfmonng.plx
35:31.98 ulogd
32:08.89 smtpd.bin
12:39.13 dns-resolver.pl
9:18.73 postgres
...
0:47.69 mdw_daemon.plx

CPU is 1.6GHz single core Atom with HT on.

Barry