My customer's high loading Windows 2000 file server intends to install a CSA 4.5 Agent. But after installed the agent with either test mode on or off, the users of this file server would complain that the response of it is too slow (i.e. List folders in file server). This file server is in status of quit high loading.
Any solution can Agent works normally with this high-loading Windows 2000 Server w/SP4 machine? Thanks for your help!
CSA 4.5.1 and 5.0 supports Win 2000 Server SP 4. I would check your Agent's polling inerval (Done through the MC by checking Host properties...The polling interval is determined by the groups it belongs to). Also, make sure the connection from the Server to the MC is strong.
What groups is it in? Is it a dual NIC machine? When it is slow, what process do the processes on the server look like (Network, disk or CPU)?
Try removing it from all groups and see if performance improves. Even in test mode, it still has to process rules.
Thanks for the reply!
The Server is Windows 2000 Server w/ SP4. The CSA MC is 4.5.1 build 616.
The network traffic between MC and this server is normal. Agent polling interval is 1 hour.
And after stop the CSA service in MMC, the user of this file server report that the response of the action of listing folders and response of the server change to its original "speed". Therefore, I would like to know if the CSA agent engrosses much resources when performing its "scan" at the time someone hit its rule? Thanks!
It depends on what groups and how many rules are in effect. It may be that the server is trying to monitor all those file and resource accesses and that's what is causing the resource drag.
Do you see a lot of events on the MC? I would put the server in a group with no policies and see if performance improves.
If it does, then your rules are what's bogging it down. If it doesn't then it may be the network shim causing the slowdown.
Try it and post the results.
I could possibly explain that.
August 2005 I discovered same issues on a customer W2k3 Fileservercluster. I have done own LAB research and discovered a bug in 22.214.171.1246 (CSCsb97645).
It has to do with the untrusted content policy introduced in version 4.5. There is a bug which does not apply changes to rules classifying untrusted content after generating rules. I had to reboot whole cluster to make changes active. Second bug is concerned nature of handling untrusted content. It`s a matter of design in version 4.5 that especially Fileservers suffer from severe performance hit after a amount of time (several days to 4 weeks, depending on usage) that untrusted content filelist is steadily growing on the Fileserver Agent. Take a look in there and you`ll notice a hugh growing list. Maintaining this list consumes growing system resources to the time Fileserver response times are going down and cpu usage is 100 percent.
Stopping CSA service will solve issue or cleaning untrusted content list in agent(both temporary). These two bugs were verified by Cisco and should be solved in Version 5.x
Tom is right - even in Testmode CSA has to process his ruleset, so this is no solution in this situation.
So, I would recommend to upgrade to upcoming CSA 5.2 as it`s ready. CSA 5.1 is really a good improvement over 4.x in my opinion.
Thank you so much for the information!
I will try to remove the Untrusted Content Classification Module from the Application Classification Policy group. And monitor the status. Thank you!