https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83210#M6432 <P>Hello Timothy,</P><P>&nbsp;</P><P>Thanks a lot, very useful resource!</P><P>I'll try some of these remediation options in the next days.</P><P>&nbsp;</P><P>piou_piou</P> Sun, 26 Apr 2020 16:25:29 GMT piou_piou 2020-04-26T16:25:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83072#M6422 <P>Hello everyone,</P><P>&nbsp;</P><P>Due to the current situation, we all know lots of users are working remotely.</P><P>I am having a weird problem on my R80.30 cluster (5400 appliances) :</P><P>The CPU is dangerously increasing during daytime (it reached 100% today). I noticed via cpview that most of the CPU is consumed by a few connections :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Active FW - cpview CPU.jpg" style="width: 784px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5775iDCADA383A9D12EB7/image-size/large?v=v2&amp;px=999" role="button" title="Active FW - cpview CPU.jpg" alt="Active FW - cpview CPU.jpg" /></span></P><P>These connections are always using TCP/7080 port and are displayed as "TCP:empowerid".</P><P>This is always from a 172.16.50.x host (which is our remote access VPN users pool) to 10.75.30.248 which is one of our Cisco Jabber server. Users and IP can be different, it seems to be happening randomly in the remote access VPN pool.</P><P>I managed to lower the CPU by manually disconnecting the involved users as you can see on the following graph at 14h and 16h (CPU is in yellow) :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Active FW - CPU last day.jpg" style="width: 856px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5776iFD64551B84A5009B/image-size/large?v=v2&amp;px=999" role="button" title="Active FW - CPU last day.jpg" alt="Active FW - CPU last day.jpg" /></span></P><P>Then as soon as someone is starting to work in the working, CPU is increasing like crazy... and eventually reaches 100%.</P><P>Same problem, same workaround for now, and here is the last graph I have :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Active FW - CPU last hour.jpg" style="width: 885px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5778iB66329D8EC873495/image-size/large?v=v2&amp;px=999" role="button" title="Active FW - CPU last hour.jpg" alt="Active FW - CPU last hour.jpg" /></span></P><P>I added a rule to drop the TCP/7080 service for now it's working properly, but we may need to accept this service later in order to make Jaber calls work when working remotely (it doesn't work for now and I've no clue why but its another topic).</P><P>&nbsp;</P><P>Here's my GW's version :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cpinfo -y all.PNG" style="width: 582px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/5779i8443C384B47DB526/image-size/large?v=v2&amp;px=999" role="button" title="cpinfo -y all.PNG" alt="cpinfo -y all.PNG" /></span></P><P>&nbsp;</P><P>Does someone has already seen this before?&nbsp; <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P>Thanks for your help!</P><P>piou_piou</P> Fri, 24 Apr 2020 13:12:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83072#M6422 piou_piou 2020-04-24T13:12:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83093#M6423 <P>Yes, what you are seeing is classic elephant flow behavior; Check Point calls these heavy connections.&nbsp; Please see my CPX 2020 presentation titled "Big Game Hunting: Elephant Flows" based on a chapter of my book which goes through the available identification tools and possible remediation options:</P> <P><A href="https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/member-exclusives/432/3/CPX_Big_Game_Hunting_FINAL2.cleaned.pdf" target="_blank" rel="noopener">https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/member-exclusives/432/3/CPX_Big_Game_Hunting_FINAL2.cleaned.pdf</A></P> <P>Edit: It is also possible these particular connections have to be processed F2F/slowpath for some reason, to see which path these connections are in run <STRONG>fwaccel conns</STRONG> and search for the connection and port attributes.</P> Sun, 26 Apr 2020 17:56:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83093#M6423 Timothy_Hall 2020-04-26T17:56:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83210#M6432 <P>Hello Timothy,</P><P>&nbsp;</P><P>Thanks a lot, very useful resource!</P><P>I'll try some of these remediation options in the next days.</P><P>&nbsp;</P><P>piou_piou</P> Sun, 26 Apr 2020 16:25:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CPU-intensive-connections-quot-TCP-empowerid-quot/m-p/83210#M6432 piou_piou 2020-04-26T16:25:29Z