Skip to main content
NetApp Knowledge Base

FAQ: Understanding ONTAP Offbox Vscan Server Extended Metrics

Last Updated:


Applies to

  • ONTAP 9
  • ONTAP AV Connector
  • Clustered Data ONTAP 8
  • Clustered Data ONTAP: McAfee
  • Clustered Data ONTAP: Sophos
  • Clustered Data ONTAP: Symantec
  • Clustered Data ONTAP: Trend Micro


For information regarding statistics collected under normal circumstances, see section 9.2. Monitoring Status and Performance Activities of the following individual Technical Reports.

  • TR-4286: Antivirus Solution Guide for Clustered Data ONTAP: McAfee
  • TR-4309: Antivirus Solution Guide for Clustered Data ONTAP: Sophos
  • TR-4304: Antivirus Solution Guide for Clustered Data ONTAP: Symantec
  • TR-4312: Antivirus Solution Guide for Clustered Data ONTAP: Trend Micro
What ONTAP VSCAN counters are available?

Vscan relevant counters are categorized as follows:

  • offbox_scan_status: Collected in dblade per-node basis.
    • Available in the diag mode.
    • ONTAP offbox_scan_status counters on a per-node basis are used to monitor the rate of Vscan server requests that are dispatched and received per second, and the server latencies specific to that physical node.
  • offbox_vscan: Collected in nblade per Vserver basis.
    • Available in the admin mode.
    • ONTAP offbox_vscan counters on a per SVM basis are used to monitor the rate of Vscan.
    • Server requests are dispatched and received per second, and the server latencies are across all Vscan servers.
  • offbox_vscan_server: Collected in nblade per [Vserver, server, node] basis.
    • Available in the diag mode.
    • This contains basic stats collected from the Vscan server.
    • ONTAP offbox_vscan_server counters are Vscan server-side utilization statistics.
      • These statistics are tracked on a per SVM, per off-box Vscan server, and per-node basis.
      • They include CPU utilization on the Vscan server; queue depth for operations to be scanned on the Vscan server, both current and maximum; memory used; and network used.
  • These statistics are forwarded by the ONTAP AV Connector to the statistics counters within ONTAP.
  • They are based on data that is polled every 20 seconds and must be collected multiple times for accuracy; otherwise, the values seen in the statistics reflect only the last polling. CPU utilization and queues are particularly important to monitor and analyze.
  • A high value for an average queue can indicate that the Vscan server has a bottleneck.
How do ONTAP Vscan counters look from a high-level perspective?


  • Antivirus Software: The antivirus software is installed and configured on the Vscan server to scan files for viruses or other malicious data. The antivirus software must be compliant with clustered Data ONTAP. Specify the remedial actions to be taken on infected files in the configuration of the antivirus software.
  • Antivirus Connector: Antivirus Connector is installed on the Vscan server to process scan requests and provide communication between the antivirus software and the server virtual machines (SVMs; formerly called Vservers) in the storage system running clustered Data ONTAP.
  • SVMVserver: This is where the SVMVserver resides. This holds the specific Vscan configuration for each specific SVM. This spans the whole cluster.
Where are ONTAP offbox_vscan overall and server counters?

They will usually be collected in a perfstat.


Or collected manually:

Example 1: offbox_scan_status
cifs_tbs2::*> statistics start -object offbox_scan_status -sample-id vscan1
Statistics collection is being started for Sample-id: vscan1


Example 2: offbox_vscan
cifs_tbs2::*> statistics start -object offbox_vscan -sample-id vscan2
Statistics collection is being started for Sample-id: vscan2


Example 3: offbox_vscan_server
cifs_tbs2::*> statistics start -object offbox_vscan_server -sample-id vscan3
Statistics collection is being started for Sample-id: vscan3


Where can I get descriptions of what these counters mean?

Run the following commands:

::*> statistics catalog counter show -object offbox_scan_status
::*> statistics catalog counter show -object offbox_vscan
::*> statistics catalog counter show -object offbox_vscan_server

For more information, see the following examples in the Additional Information section below:

  • statistics catalog counter show -object offbox_scan_status.txt
  • statistics catalog counter show -object offbox_vscan_server.txt
  • statistics catalog counter show -object offbox_vscan.txt
How can I gauge the health of the Vscan server and Vscan Engine using these counters?

The scanner_stats_* counters are gathered from the Vscan server through the AVSHIM. These can give us a general idea of the overall health of the Vscan server. These counters are provided to the AVSHIM and are usually a good representation of the previous 30 secs.

Each of those counters measures as follows:

Counter Information Displayed

Represents the current state of scan-request-queue on scanner, increments if the pending request queue** is FULL on AVSHIM. (value is either FULL’1’ or NOT FULL ‘0’)

If the value is 1, there are currently 2000 pending requests in the queue.

scanner_stats_pct_cpu_used CPU utilization on the Vscan server. In case of multiple CPUs, the cumulative average should be provided.
scanner_stats_pct_dropped_requests Percentage of received scan requests that are dropped by the scanner

An average queue of scan requests on the Vscan server.

It is the average of the last reported and the current calculated value of the pending request queue length in AVSHIM. So, if the last reported value was 50% and the current value is 60%, then the avg is 55%. The percentage is calculated by using the base of max_queue_length of pending requests in AVSHIM, which is 2000**.


Maximum scan-request-queue length on the scanner (as a percentage of queue length) (% is calculated from a base of the last 2000 requests), that is, the value of 50 means 50% of base 2000 is a high watermark. (scan-request-queue maxed at 1000 requests)

scanner_stats_pct_mem_used Percentage of total memory consumed on the Vscan server

Percentage of total-input-queue-length currently being used on the Vscan server.
Note: In case the scanner is multi-homed, this is the utilization of the network interface that is the busiest.

Note: AVSHIM has a global queue limit of 2000 requests, shared by all connections/Vservers. Since AVSHIM works on the pull-based mechanism, it will stop pulling requests from ONTAP, until slots are freed (after receiving confirmation of completion from the scan engine, AVSHIM will pull more requests. If there are more scanners connected to that node, then the scan-requests will be pulled by other Vscan servers.)
ONTAP does not trigger secondary scanner-pool, until the connection between AVSHIM and ONTAP is healthy.

What other counters are available to check for the health of the Vscan server and Vscan Engine?

Statistics are gathered on the AVSHIM and send to the storage system through ZAPI, which can give you an indication of the health of the Vscan server. These provide a per connection statistic for each Vserver to the Vscanner.
 cifs_tbs2::*> vscan connection-status show-extended-stats
(vserver vscan connection-status show-extended-stats)Connection

Vserver    Node                   Server                  Status                Extended Stats
----------- -----------------     ---------------          --------------     -----------------
fpol1          cifs_tbs2-01   connected        ts=1:22:10 PM Jun 08,2015
                                          mempage/s=91, procs=60, threads=821, %cpu=3.53, procqlen=1,

diskio/s=15, smbbytes/s=208,
                                          ifmac=00:50:56:AF:16:05 [VMware], tcpstat=retrans:14930,connfail:2734,connreset:8524,inerr:0 **
                                          cfg=Host Name:CIFS-TBS-WIN
                                          OS Name:Microsoft Windows Server 2008 R2 Enterprise
                                          OS Version:6.1.7601 Service Pack 1 Build 7601
                                          System Boot Time:5/25/2015, 1:02:47 PM
                                          System Manufacturer:VMware, Inc.
                                          System Model:VMware Virtual Platform
                                          System Type:x64-based PC
                                          Processor(s):2 Processor(s) Installed.
                                          [01]:Intel64 Family 6 Model 15 Stepping 1 GenuineIntel ~2600 Mhz

 Note: A large value of the TCP retransmits and connection failures can indicate an issue between the networks of the storage system and the Vscanner.

Counter Information Displayed
mempage/s Memory pages per second of the Vscan server.
(It is the rate at which pages are read from or written to a disk to resolve the hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays.)
procs Number of threads running in the Vscan server.
(It is the number of threads in the computer at the time of data collection. This is an instantaneous count, not an average over-the-time interval.)
%cpu Percentage of CPU utilization in the Vscan server.
(It is the percentage of elapsed time that the processor spends to execute a non-idle thread.)
procqlen Processor queue length of the Vscan server.
(This indicates the number of threads in the processor queue.)
diskio/s Disk input/output per second of the Vscan server.
(This is the rate of read and write operations on the disk)
smbbytes/s SMB byte transfers per second of the Vscan server.
(The rate at which the redirector is processing data bytes. This includes all application and file data in addition to protocol information, such as packet headers.)
ifmac MAC address of the Vscan server.
tcpstat TCP statistics of the Vscan server.
Cfg System information of the Vscan server.

Additional Information

Statistics examples:




  • Was this article helpful?