WS2016 VM Windows Explorer freeze when high network usage

[Aitor]

Hi all,

I know is a long shot (I don't know this issue is coming from PVE or the Symantec antivirus I am forced to use...)

I am experiencing a really strange issue, so I will try to explain as better as possible.

My current setup:
- Dell R6525 server with:
- 2 AMD Epyc 7502 CPUs
- 256 GB of RAM
- 2x1TB SSD in RAID1
- 2x 1Gbps Ethernet ports
- 2x SFP+ ports with fiber optics transceivers
- This server is running Proxmox Virtual Environment 7.1 on Debian 11 Bullseye
- Inside the Proxmox VE I have a Windows Server 2016 VM, with:
- 16 cores
- 32 GB of RAM
- 650GB of storage
- 1x 1Gbps network card bridged to the VM
- 1x SFP+ network port bridged to the VM
- I have a proprietary machine that will digitize RF signal and send it to my VM using a fiber optics cable directly connected to the server
- When data is being sent the network usage goes up to 5Gbps
- Symantec Endpoint Protection 14.3RU4 build 14.3.7393.4000 is installed in the VM

My issue:
- When the RF signal is sent to the VM the bottom taskbar completely freezes in my VM (it looks like Explorer.exe is crashing)
- If I'm already connected to the VM through Remote Desktop, I can still navigate between open windows. But I can't maximize any window, when I click on the start button nothing happens and keyboard shortcuts (windows+r or ctrl+alt+supr) stop working.
- If I'm not already connected through RDP to the VM, I'm not able to do it anymore.
- If I stop sending the RF signal to the VM, the taskbar starts working again and if I've sent any keyboard shortcut they all be executed at the same time
- If I disable Symantec Endpoint Protection on my VM the issue persists
- If I uninstall Symantec Endpoint Protection from my VM all works without any issue

Thanks for your help

 

[VictorSTS]

Have no experience with that AV software. so this is probably not really helpful, but did you try to profile what is going on in the VM while you get RF data with and without the AV? You can try to compare memory, CPU, processes and so on.

Also, you may try to enable multiqueue on the VM's nic settings to see if it helps.

 

[fabian]

that sounds like endpoint protection trying to scan all that traffic and failing to keep up, maxing out your vcpu in the process..

 

[Aitor]

that sounds like endpoint protection trying to scan all that traffic and failing to keep up, maxing out your vcpu in the process..

Thanks for the answer,

It's exactly that. When I start sending the data 1 of the CPU cores goes to 100% (I assume is the one used for Symantec)


Also, if I check the Task Manager I can see the System interrupts is taking much more CPU than usual (5%)

The moment I stop sending data to the VM, the CPU goes back to standard load and the System interrupts goes back down to 0.5% CPU usage

 

[Aitor]

Have no experience with that AV software. so this is probably not really helpful, but did you try to profile what is going on in the VM while you get RF data with and without the AV? You can try to compare memory, CPU, processes and so on.

Also, you may try to enable multiqueue on the VM's nic settings to see if it helps.

It really look like Symantec is not able to follow the quantity of data to analyze. I will try and find a way to make it ignore all that data flow

BTW: I've tried to set the multiqueue to 8 and it didn't help

 

[Aitor]

BUT: The really strange thing is that even if I disable Symantec Endpoint Protection I still have the exact same behavior...

It's only when I uninstall it when it works

 

[VictorSTS]

Most AV's are quite paranoid (or just misbehave) and dont really get disabled even if you tell them to do so. Not even as an admin after authenticating twice and using their own CLI .