Support Center > Search Results > SecureKnowledge Details
RTSP over HTTP traffic might cause high CPU load on Security Gateway when HTTP inspection on non standard ports is enabled
Symptoms
  • Output of 'top' command shows that a CPU core is loaded at 100% (by CoreXL FW instance 'fw_worker') at random times of the day for several minutes each time.

  • Configuration of the Security Gateway machine and of Software Blades is fully optimized (SecureXL, CoreXL, SMT, rulebase, etc).

  • Most of the traffic passing the problematic Security Gateway is HTTP / HTTPS.

  • Kernel debug during the issue ('fw ctl debug -m WS + warning connection') repeateadly shows the following lines:

    {connection} ws_conn_get_next_read_session: using sn_list; 
    {connection} ws_conn_get_next_read_session: returned sn: 00000000, for side: WS_SERVER_SIDE; 
    {connection} ws_connection_read_handler: [WARNING]: failed to find read session. it is possible that a response; 
    {connection} ws_connection_read_handler: [WARNING]: was received before any request was sent, or that redundant; 
    {connection} ws_connection_read_handler: [WARNING]: CRLFs were sent at the end of the previous response; 
    {connection} ws_connection_read_handler: copy_data flag is true, copying stream data; 
    {stream} ws_stream_queue_make_private: copying data to bucket number ..., size: ...; 
    {stream} ws_stream_queue_make_private: after make private (before join), stream status is as follows:; 
    
  • Disabling the setting 'Enable HTTP inspection on non standard ports...' in SmartDashboard resolves the issue with high CPU load:

    • Go to 'Application &l URL Filtering' tab - open 'Advanced' - click on 'HTTP Inspection' - clear the box 'Enable HTTP inspection on non standard ports for the Application &l URL Filtering Blades' - install policy
    • Go to 'IPS' tab - open 'Additional Settings' - click on 'HTTP Inspection' - clear the box 'Enable HTTP inspection on non standard ports for the IPS Blade' - install policy
    • Go to 'Threat Prevention' tab - open 'Advanced' - click on 'HTTP Inspection' - clear the box 'Enable HTTP inspection on non standard ports for the Anti-Bot and Anti-Virus Blades' - install policy
Cause

RTSP over HTTP tunneling traffic (e.g., from surveillance cameras) has a non-standard structure - such connections have two HTTP Response headers.

RTSP data in the second header is treated as HTTP header and is saved in Check Point kernel memory for processing. As a result, a huge stream might be created. Processing of such huge stream causes high load on CPU.

Show / Hide example of RTSP over HTTP tunneling packet with two HTTP Response headers

GET rtsp://X.X.X.X:N/... HTTP/1.0 
Content-Length: 0 
Cache-Control: no-cache 
Pragma: no-cache 
x-sessioncookie: ... ... ... 
User-Agent: AccClient[...]/5.0.2.24(25096) 64-bit HTTP-Agent 
Accept: application/x-rtsp-tunnelled 
... ... ... 

HTTP/1.0 200 OK 
Content-Type: application/x-rtsp-tunnelled 
Content-Length: 0 
Date: 
Cache-Control: no-cache 
Pragma: no-cache 
Server: AccServer[...]/5.0.2.24(25096) 64-bit 

RTSP/2.0 200 OK 
Server: AccServer[...]/5.0.2.24(25096) 64-bit 
CSeq: 1 
Content-Length: 1059 
Content-Type: application/sdp 
... ... ...

Solution
Note: To view this solution you need to Sign In .