Solutions

Slowness or latency when turning on ICAP scanning

Solutions ID:    KB2870
Version:    5.0
Status:    Published
Published date:    04/09/2009
Updated:    11/27/2013
 

Problem Description

With the ICAP response modification enabled (anti-virus enabled), the ProxySG seems to slow down. That slowness seems to increase over time up to a point where the ProxySG no longer serves objects.

Resolution

Anti-virus scanning will always add a bit of latency but if that latency increases over time, it could be because of a more serious problem.

The most likely cause of this would be the connections between the SG and the proxy AV getting misused. For example, if there are 50 connections available between the ProxySG and the ProxyAV (or other AV engine), it's possible that some of those are used by streaming media, stock tickers, or other downloads that never end.

To know if the ProxySG has to queue ICAP objects, we must open the SysInfo and look for the following :


  ; Connection info

  max-conn               5

  current-connections    5

  current-transactions   5

  queued-actions         166    <----

  max-queued-actions     183    <----

 

In this example here, only 5 connections are available between the ProxySG and the ICAP server (which is very low, normal values are between 50 and 100), and we can also see that "queued-actions" is not zero. "max-queued-actions" shows a high watermark of 183 objects which will cause latency.

 

To fix this type of problem, the first step is to make sure that the code for the ProxyAV's best practice is installed. It can be downloaded here. This code is valid for other ICAP servers, not just ProxyAV.

(only for SGOS vers. 5.5 and 6.x, in order to prevent the "warning error", please use the CPL code in attachment where the depreciated command "patience_page(no)" has been replaced by 'response.icap_feedback.interactive( no )' 

With that in place, most streaming media and the known user-agents will not be sent to the ICAP server so it won't clog the available connections. This will speed things up and help prevent queuing.

 

NOTE: This was published in 2009, for the most up-to-date best practice policies, see the SG/AV integration guide

 

Attachment

ProxyAV_Best_Practise.txt
3K • < 1 minute @ 56k, < 1 minute @ broadband



Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question