cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
296
Views
8
Helpful
7
Replies
netcraftjason
Beginner

CSA Agent impacts the File Server performance.

Hi,

My customer's high loading Windows 2000 file server intends to install a CSA 4.5 Agent. But after installed the agent with either test mode on or off, the users of this file server would complain that the response of it is too slow (i.e. List folders in file server). This file server is in status of quit high loading.

Any solution can Agent works normally with this high-loading Windows 2000 Server w/SP4 machine? Thanks for your help!

7 REPLIES 7
joseph.hamilton
Beginner

http://cisco.com/en/US/products/sw/secursw/ps5057/prod_release_note09186a00804225a0.html#wp115801

CSA 4.5.1 and 5.0 supports Win 2000 Server SP 4. I would check your Agent's polling inerval (Done through the MC by checking Host properties...The polling interval is determined by the groups it belongs to). Also, make sure the connection from the Server to the MC is strong.

tsteger1
Collaborator

What groups is it in? Is it a dual NIC machine? When it is slow, what process do the processes on the server look like (Network, disk or CPU)?

Try removing it from all groups and see if performance improves. Even in test mode, it still has to process rules.

Tom S

netcraftjason
Beginner

Hi All,

Thanks for the reply!

The Server is Windows 2000 Server w/ SP4. The CSA MC is 4.5.1 build 616.

The network traffic between MC and this server is normal. Agent polling interval is 1 hour.

And after stop the CSA service in MMC, the user of this file server report that the response of the action of listing folders and response of the server change to its original "speed". Therefore, I would like to know if the CSA agent engrosses much resources when performing its "scan" at the time someone hit its rule? Thanks!

It depends on what groups and how many rules are in effect. It may be that the server is trying to monitor all those file and resource accesses and that's what is causing the resource drag.

Do you see a lot of events on the MC? I would put the server in a group with no policies and see if performance improves.

If it does, then your rules are what's bogging it down. If it doesn't then it may be the network shim causing the slowdown.

Try it and post the results.

Tom S

Hi,

I could possibly explain that.

August 2005 I discovered same issues on a customer W2k3 Fileservercluster. I have done own LAB research and discovered a bug in 4.5.1.616 (CSCsb97645).

It has to do with the untrusted content policy introduced in version 4.5. There is a bug which does not apply changes to rules classifying untrusted content after generating rules. I had to reboot whole cluster to make changes active. Second bug is concerned nature of handling untrusted content. It`s a matter of design in version 4.5 that especially Fileservers suffer from severe performance hit after a amount of time (several days to 4 weeks, depending on usage) that untrusted content filelist is steadily growing on the Fileserver Agent. Take a look in there and you`ll notice a hugh growing list. Maintaining this list consumes growing system resources to the time Fileserver response times are going down and cpu usage is 100 percent.

Stopping CSA service will solve issue or cleaning untrusted content list in agent(both temporary). These two bugs were verified by Cisco and should be solved in Version 5.x

Tom is right - even in Testmode CSA has to process his ruleset, so this is no solution in this situation.

So, I would recommend to upgrade to upcoming CSA 5.2 as it`s ready. CSA 5.1 is really a good improvement over 4.x in my opinion.

Cheers,

Arne

Hi Arne, thanks for the good info and the news that 5.2 will be available soon.

Tom S

Hi Arne,

Thank you so much for the information!

I will try to remove the Untrusted Content Classification Module from the Application Classification Policy group. And monitor the status. Thank you!

Jason

Best Regard,

Content for Community-Ad