Skip to main content
NetApp Knowledge Base

What is the recommended value for ONTAP Vscan offbox timeout settings?

Views:
3,913
Visibility:
Public
Votes:
3
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Antivirus

Answer

  • There are 2 recommendations for optimizing timeouts for vscan:
    • Set ONTAP  'vserver: vscan scanner-pool' policy
    • Vscan vendor dependent timeout value.
  • Ultimately, the timeout recommendations are published in various Vscan vendor provided best practices. Refer the following: Vscan partner solutions
  • What should I set the Vscan scanner-pool timeouts to?

NetApp’s general guideline is to ensure the vendor vscan-engine timeout values are lower than the scanner-pool Request Service Timeout (default 30s) value.

The following are recommended settings for ‘vserver vscan scanner-pool’ timeout settings. (9.3 example)

::*> vscan scanner-pool show -instance

                                         Vserver: svm1
                                    Scanner Pool: pool1
                                  Applied Policy: primary
                                  Current Status: on
              Cluster on Which Policy Is Applied: node1
                       Scanner Pool Config Owner: vserver
            List of IPs of Allowed Vscan Servers: 10.63.119.140
List of Host Names of Allowed Vscan Servers: 10.63.119.140
                        List of Privileged Users: domain\administrator
                         Request Service Timeout: 30s
                              Scan Queue Timeout: 20s

                           Session Setup Timeout: 10s
                        Session Teardown Timeout: 10s
Max Number of Consecutive Session Setup Attempts: 5

 What does each value mean?

  • request-timeout: Refers to the max wait-time for response of a scan-request.
  • scan-queue-timeout: Refers to the max time spent by a scan-request in scan-engine's queue, before it is serviced.
  • session-setup-timeout: Refers to the max wait-time for a response for session-setup-message.
  • session-teardown-timeout: Refers to the max wait-time for a response for a session-teardown-message, or for any message to be received for a session-id, after the underlying connection has been disconnected.
  • max-session-setup-retries: Refers to the max times session-setup for a session-id may be retried; case of consecutive retry failures only.

Note: The general recommendation is to NOT change these timeout values.

They have been optimally set as default. However, there could be certain situations where these values may need to be changed.

  • What should I set the vendor scan-timeouts to?
    • The official NetApp recommendation is to set the scan timeout value lower than our defined Request Service Timeout, but ultimately those are based on the different vendor recommendations.
    • At time of publish, these are the currently published vendor timeout values.
       
AV vendor Scan-timeout Value
Symantec 2/3* req_timeout
McAfee 25 seconds
Sophos 60 seconds **
Kaspersky 60 seconds **
Trend Micro 24 seconds

* Based off Best Practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp File

** NetApp has recommended this value to be below 30 seconds (ideally 5-10 seconds below the Request Service Timeout)

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.