Overview
You are experiencing issues with high bandwidth utilization with agent scanning and patching of computers connected through the Agent Relay server, especially during business hours.
Solution
The common root causes for this might be environment variables, an issue with the Apache Server used by LanGuard and Agent Relays, or not optimal scanning schedule - a lot of Agents performing Program Updates or computers simultaneously downloading patches can cause high-bandwidth.
Relay Agents assigned to machines within the same network segment are used to reduce the load from the GFI LanGuard Server and spread out the network traffic. Computers configured as Relay Agents are acting as caching points. If the computer is assigned a Relay Agent, the agent doing the update or PatchAgent working on remediation will request the files from the Relay Agent. If the Relay Agent has the file already in its cache, it will deliver the update file. If not, it will request it from the GFI LanGuard server or upstream relay, and once retrieved, add the file to its relay cache.
To improve bandwidth utilization:
- Ensure that both LanGuard server and Agent Relay(s) meet the requirements, all exclusions are in place, necessary services are running.
- As the Agents perform Program Updates daily at a random time fixed during the installation, and additionally immediately prior to each scan:
- Restrict Daily updates to non-business hours as described in the Running LanGuard Agent Updates Only at Specific Time Range to Reduce Bandwidth article.
- Change the agent scan schedule on all endpoints connected to Relay to happen after business hours. If there are different logical groups there, you can space the schedule between these groups to spread the load.
- Keep the number of computers/agents directly connected to the GFI LanGuard server or to one Relay Agent below 100.
If you believe the bandwidth is still high, you can check the correctness of the Agents and Agent Relay configuration following the file requests in the %AgentData%\DebugLogs\HTTPD\access.log
on LanGuard server. Check to see if this is normal bandwidth or abnormal as follows:
- Check the most recent
access.xxxx
logs on the LanGuard server and use Notepad++ to view it.
If the agents are working properly you should only seeGET
requests from the Relay agent server IP address.- You should see post requests from agents assigned to that Relay; these are the scan or remediation notification messages.
- You can use Regular Expressions like
^172.17.11.2.*GET
(without the substituting IP address) to search for allGET
requests from a particular Relay. If you see requests from agents for the update files have the customer check the configuration of the agent to make sure the Relay is assigned to it.
- If the Relay is functioning correctly, you should only see
GET
requests for update files once a day (except for requests for the index.txt)- You can use Regular Expressions like
^10.1.222.11.*GET.*lanss_11_wsusscn2.cab
(without substituting IP address and filenames) to search for all requests from IP10.1.222.11
for the file wsusscn2.cab. Check other files to see if the Relay is requesting this more than once or twice in a day. - There are several requests for the same file separated by 5 - 10 seconds from the same IP - this is normal and indicates that LanGuard didn't immediately respond to the request with the first packet because it was busy. However, if you see repeated requests for the same file separated by an hour or more, it indicates a problem with the Relay perhaps not caching the file.
- You can use Regular Expressions like