High CPU with DPI-SSL
Hi,
I experiencing CPU bottleneck with DPI-SSL on TZ300W and TZ400, that cause issue on VOIP and slowdown on RDP Thru Site-to-Site VPN.
I will like to know if everybody got that.
You must exclude only Bank on DPI-SSL, all service is activated in DPI-SSL inspection. (also do not limit the MAX Connection of DPI-SSL, leave as default=25000)
To see the Issue, you take some PC (like 2 to 6).
You have to set 3 default start page on each PC. (Msn.com, Yahoo.com, YouTube.com)
Then you start EDGE on all computer at the same time. Then the CPU go Full High, then you got VOIP issue and slowdown on RDP thru VPN.
FW: 6.5.4.5-53n--HF222458-6n but I have see that also on most older firmware
Answers
Hello @Peterbob9,
I checked internally based on the DTS# 222458 and yes we have a few customers seeing this problem across different platforms. We have taken care of major DPI SSL related problems on 6.5.4.5 based on HF versions but all of that is getting consolidated and scheduled to be fixed in the next release 6.5.4.6.
This version is already in beta and would be web-posted pretty soon. So, please stay tuned for that.
I would also like to add that while using DPI SSL, the firewall needs to perform SSL proxy for any SSL connection on any port increasing the CPU usage and we had a substantial growth on the number of connections that we would support on the 6.5 era.
We are already working on this and you should be able to test it out pretty soon on the 6.5.4.6 version.
Thanks and have a good one!
Shipra Sahu
Technical Support Advisor, Premier Services
Hello @Peterbob9,
6.5.4.6-79n is webposted as a maintenance release. I am attaching the release noted for your reference.
Also, attaching the KB for firmware upgrade procedure.
Feel free to test it out and let us know how it goes!
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks, Yes.
I already install it in 1X TZ400 Yesterday.
But I didn't have time to make test on it, I should do it, this weekend.
Perfect! Let us know how it goes!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @Peterbob9
check my tests, running on a TZ 400 as well, do your results differ?
--Michael@BWC
Hi Jason_Faiferlick,
I have test it on my only one TZ400 (6.5.4.6-79n) on ISP 30/30 Internet Speed.
Because I already don’t have no more than 30 mb ISP connection on my TZ400
I will not be able to compare with you.
But I see that with DPI-SSL activated (and all other security service activated)
Doing Speed test make my CPU go to 70% on 3 core.
Without DPI-SSL, CPU goes on 20% on 3 core.
And this test was done on, ONLY ONE COMPUTER.
I will test this soon in TZ300W with higher internet speed.
I have a VERY LONG and PAINFUL story. But I will try to keep it short.
We, too, have this problem. We purchased the biggest SonicWall they had to offer at the time, whish was the NSA-5600.
Ran GREAT for years, until they rolled out any version of their SonicOS above firmware version 6.2.9.3-26n.
On the NSA-5600, we downgraded it backwards to version 6.2.9.3-26n to make it work again.
Version 6.2.9.3-26n worked PERFECTLY and CONSISTENTLY. I tried every single version above it, and ALL 10 CORES PEGGED at 100% and Internet didn't just slow down, IT STOPPED DEAD! So I would always have to put version 6.2.9.3-26n back on there, because turning off DPI-SSL was NOT and option.
But then, some CVE's surfaced. But we kept trucking along with version 6.2.9.3-26n because WE DIDN'T HAVE A CHOICE.
After fighting it for a couple of years, a high level engineer gave me some great news. A new BIGGER BETTER FASTER AWESOMER SonicWall was going to be released... The NSA-6700!!
They told me our current unit, the NSA-5600, was just not powerful enough for our 2200 users. And we would need the NSA-6700 to accommodate our needs and the DPI-SSL 100% CPU Utilization issue would be a thing of the past!
Here we are $50,000 in the hole... and guess what??? Yup, ALL CORES on our beautiful new NSA-6700 PEGGED at 100% as soon as DPI-SSL is turned on!!!!
SonicWall Support treats me like I am an idiot, and I must be doing something wrong. Then their Support Techs remote into the box and cannot figure out why it is happening either! But they assure me that we are the only ones with this problem....
As of October 29th, 2021, this is still not resolved! And now we are stuck with $50,000 worth of scrap metal.
Not sure what they changed in their firmware regarding DPI-SSL after version 6.2.9.3-26n, but they junked it up REAL BAD!
SonicWall used to be a name I loved! I slept good at night... When other people told me their horror stories about their LightSpeed Unit or Fortinet Units, I just smiled because our trusty SonicWall topped them all!
I gave so many good references and referrals.... Now, I feel like they got our money and don't have a single engineer that has time to stop and think for a moment.