Tag Archives: laggy

Watchguard XTM Firewall and UTM Appliance – High CPU Usage in the GAV (gateway anti-virus) scand process causes lag and typing delay in Remote Desktop Sessions (RDP) and SIP or VoIP latency issues

Watchguard XTM Firewall and UTM Appliance – High CPU Usage in scand process causes lag and typing delay in Remote Desktop Sessions (RDP).  You may find that remote users report a lag with Remote Desktop Sessions, freezing sessions, black screen and random disconnections.  At around the same time users report these issues you may find that the CPU usage of the scand process on your Watchguard has increased to 100% and the majority of the activity is attributed to the scand process.  You may be able to recreate this issue by browsing websites that utilise lots of Adobe Flash or Media Content as GAV will need to scan all these elements of the web page.  Login to the Watchguard System Manager and then open Firebox System Manager click on Status Report and scroll down the report until you find the Process List (Screenshot Below).  This information will automatically update every 30 seconds so you can see the %CPU column will change and update every 30 seconds.  The top value system shows the overall CPU utilisation and if you look further down you can see which sub processes are actually occupying the CPU time and making up the overall system usage.  In the screenshot below we can see that system is showing 100 % CPU Usage and then further down we can see that the scand process is accounting for 90.99% of this.  When the CPU Usage reaches 100% on the Watchguard unit it may stop forwarding other traffic and this accounts for the lag and jitter we see within the Remote Desktop Session.  Other time sensitive traffic such as VoIP or SIP traffic may also be affected by this issue as the packets are delayed whilst the Firewall recovers from the resource exhaustion.  Users may also report that web pages are slow to load at the time these issues occur where the GAV process is still dealing with the other requests.


You can try disabling the GAV (gateway antivirus) for the HTTP and FTP Proxy to ensure that this is the actual cause of your issues, if the problem subsides then you may need to consider updating the XTM OS to the latest release i.e. 11.5.2 and/or adjusting the GAV policy so that it does not scan some content i.e. Images/Text within websites.  You may also need to consider opening a support case with Watchguard to make them aware of this issue, if you have a large number of users then you may even need to consider upgrading your XTM appliance to a larger unit i.e. XTM 23 to XTM 505 or XTM 22 to XTM330 to provide additional processing power (CPU) and system resources to cope with the additional anti-virus scanning requirements.

Watchguard XTM High CPU Usage scand
Watchguard XTM High CPU Usage scand

HTTP and HTTPS requests or traffic to a Windows Vista, Windows 7, Windows Server 2008, SBS 2008, Windows Server 2008 R2 or SBS 2011 machine may exhibit increased latency if the connection is through a network load balancer

If you utilise Microsoft Internet Information Services IIS or an application that uses the System.Net.HttpListener class is installed or running on one the operating systems below, and you have a Network Load Balancer then you may find that Increased latency occurs on HTTP and HTTPS requests and traffic.

This issue occurs because the HTTP and HTTPS requests from clients can include zero length data in the SSL records, certain server-side variables do not update correctly in this instance and Http.sys leaves the connection in the CLOSE_WAIT state.  This intern exhausts the open connection limit can introduce latency, timeouts and connection problems.

Affected Operating Systems:

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows Server 2008

Microsoft Small Business Server 2008 – SBS 2008

Microsoft Windows Server 2008 R2

Microsoft Small Business Server 2011 – SBS 2011

The Microsoft Knowledge Base Article KB 2634328 includes further information on this issue and provides an updated version of Http.sys that corrects the issue http://support.microsoft.com/kb/2634328

CPU Usage may increase to 100% while you are scrolling through a Web page in Microsoft Internet Explorer 8 or Microsoft Internet Explorer 9

CPU Usage may increase to 100% while you are scrolling through a Web page in Microsoft Internet Explorer 8 or Microsoft Internet Explorer 9

This can occur if the “Use smooth scrolling” option is enabled in “Internet Options” by default the “Use smooth scrolling” setting is enabled in Internet Explorer 8 and Internet Explorer 9.

To resolve the issue you just need to disable/untick the “Use smooth scrolling” option in Internet Explorer by following the steps below

  1. On the “Tools” menu in Internet Explorer, click “Internet Options” then click the “Advanced” tab
  2. Click to untick the “Use smooth scrolling” check box as shown in the screenshot below

The Microsoft knowledge base article KB 885355 http://support.microsoft.com/kb/885355

Windows Vista and Windows 7 – USB Audio Device or USB Headset can cause High CPU Usage and you may notice skipping in the sound playback

If you use a USB Headset, USB Speakers or USB Sound Card under Windows Vista or Windows 7 you may notice that the CPU Usage is very high when you are listening to sound, music or gaming.  You may also notice that the audio lags or skips as a result, this will normally occur every 10-20 seconds and may get worse over an extended period of time.

This is most likely to occur when the device is connected to a USB 2.0 EHCI (Enhanced Host Controller Interface)

The issue is caused by a problem with the usbport.sys driver that is part of Windows

The issue can be addressed in Windows 7 or Windows Server 2008 R2 by upgrading to “Service Pack 1”

The issue can be addressed in Windows Vista – Service Pack 2 or Windows Server 2008 – Service Pack 2 by applying the hotfix from http://support.microsoft.com/kb/981214 which includes an updated version of usbport.sys