The event-log contains many unknown user errors for different client IP addresses. Tto understand the problem, we have added the following policy to local policy layer:
define action log_internal_error
log_message("you are using $(request.header.User-Agent) from $(client.address) and as user $(user.name) in realm $(realm) going to $(url)")
end action log_internal_error
The above policy adds more detail to the errors logged in the event-log. Now there were only a few sites causing the unknown user errors. In this case, they were ovi.com and nokia.com.
What was happening is that mobile phones were synching their email to Microsoft Outlook. The user-agent being used was Internet Explorer. Users were not logged on to the domain. To fix the issue, we added a rule to bypass authentication for these sites. Additionally, we added an allow rule to the Web Access Layer (in the VPM) for these sites and placed them above the group= and user= rules. The CPU dropped to 40%.
The issue was caused by mobile synch not being allowed out. The mobile sync client was not sending authentication headers and this resulted in the clients re-transmitting the requests. Thus, a majority of the ProxySG appliance's CPU was consumed by TCP. On single processor appliances, such as the SG510, this additional traffic can cause a bottleneck.