High CPU on VSCAN server causes CIFS access issues
Applies to
- ONTAP 9
- Vscan
- SentinelOne
Issue
- VSAN servers reached 100% CPU
- Users are unable to access CIFS shares
- EMS logs shows the error
Nblade_CifsOperationTimedOut_1 'lastSpinNpError': 'SPINNP_ERR_OFFBOX_VSCAN_REQD':
Tue Jun 03 10:06:54 +0100 [node-01: kernel: Nblade_CifsOperationTimedOut_1:error]: params: {'commandName': 'SMB2_COM_CREATE', 'suspensionCnt': '4', 'cmdRestartCnt': '0', 'lastCsmError': 'CSM_OK', 'remoteBladeID': '6401c875-9f30-11ee-9941-d039eaaf0c59 (node-01)', 'isQosEnabled': 'QoS_disabled', 'lastSpinNpError': 'SPINNP_ERR_OFFBOX_VSCAN_REQD', 'clientIpAddress': '172.xx.xx.xx', 'localIpAddress': '172.xx.xx.xx', 'vserverId': '16', 'dsId': '1079', 'vserverName': 'svm'}
- EMS logs shows the error
vscanExcessiveTOs:
Tue Jun 03 10:13:02 +0100 [node-01: kernel: Nblade.vscanExcessiveTOs:error]: Vscan timed-out scanning events exceeded 2000 in the last 30 minutes for Vscan server (IP: 192.xx.xx.xxx) in SVM "svm".
- Vscan events show
scan-timedoutandscan-internal-error:
::*> vserver vscan show-events -vserver <vserver_name>
- Performance Archive data shows high latency for the virus scanner connection :
# Offbox_vscan_server #
Report offbox_vscan_server for ASUP - xxxxxxxxxxxx
Cluster: cluster-1 (4b3d00bc-9f32-11ee-9941-XXXXXX)
Node: node-01 (6401c875-9f30-11ee-9941-xxxxxxxxx)
Model: AFF-A400
Release: 9.14.1P7
Time Range: 2025-06-03 06:00:01.000+00:00 - 2025-06-03 10:00:01.003+00:00
start end instance scan_latency (us)
2025-06-03 09:07:15 +00:00 2025-06-03 09:12:15 +00:00 svm-13:192.168.0.195:xxxxxxx 26772580.58
2025-06-03 09:07:15 +00:00 2025-06-03 09:12:15 +00:00 svm-11:192.168.0.195:xxxxxxx 22766879.80
2025-06-03 09:12:15 +00:00 2025-06-03 09:17:15 +00:00 svm-13:192.168.0.194:xxxxxxx 22062075.29
2025-06-03 09:17:15 +00:00 2025-06-03 09:22:15 +00:00 svm-09:192.168.0.194:xxxxxxx 21579253.00