Re: Ted.elg increased a lot

BrunoCiongoli · ‎2022-03-29

Hi checkmates, I have a problem:

The file "ted.elg" increase a lot and this fills the disk in the active gateway. The Threat Emulation and Threat Extraction blades are not enabled.

We are running a cluster in R80.40

This appears in the ted.elg file (attached image)

Did anything like that happen to anybody else?

the_rock · ‎2022-03-29

Hey Bruno,

Cant say I ever seen that issue happen myself. Can you ensure there is nothing in threat prevention policy enabled for those blades? I checked my 2 lab fw's and both have this file with size less than 200 Kb.

Andy

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

Hi andy thanks for the response

No, nothing in threat prevention policy is installed on this GW

regards

the_rock · ‎2022-03-29

Can you send a screenshot?

Andy

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

Yes, of course

This TP policies are for another cluster and are instaled on that cluster. The GW what have this issue is the one in the other image

the_rock · ‎2022-03-29

What happens if you delete the file? Does it go back to unusual size after some time?

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

Yes, after delete this file it returned to unusual sizes and again fills the disk after some time, it never stops typing it with the same error ( the error of the image that I sent in the original post)

the_rock · ‎2022-03-29

As last resort, if you can reboot fw, try that. If not, I would suggest contact TAC, this is worth investigating more.

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

We reboot the cluster and the problem happened in the another cluster member too.

the_rock · ‎2022-03-29

Definitely get in touch with TAC.

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

Thanks for your time, we’ll open a case

the_rock · ‎2022-03-29

Im really sorry, I wish I could have given you some sort of good suggestion. I never seen this problem before, so not really sure why it happens. Maybe someone else in the community will have an idea...one thing though that came to my mind is, can you run ps -auxw command and top as well, just to see if there is a process that could be consuming high memory/cpu that might potentially cause this to happen?

Andy

Best,
Andy
"Have a great day and if its not, change it"

BrunoCiongoli · ‎2022-03-29

Here are the outputs

the_rock · ‎2022-03-29

Just a shot in the dark here...but, one that that struck me from those outputs is that fwd is consuming unusually high amount of cpu, 30 plus % and then all fw workers about 10% each, which amount to more than 60% right there. I know this might be a bit extreme to try, but just to be 100% positive its not corexl related, if its enabled, I would try disable it as a test and reboot (can be done via cpconfig command). Not sure if thats something you could try, but it would be worth, just to confirm, for sure.

Best,
Andy
"Have a great day and if its not, change it"

JeffersonRomero · ‎2022-08-26

Hi Bruno

Did you solve it? I have the same behavior in a cluster in R81.10 ...

Regards

JR

Chris_Atkinson · ‎2022-08-26

TE is not enabled?

Does the following command return output?

tecli advanced attributes show | grep -i log

CCSM R77/R80/ELITE

Shiran_Gold · ‎2022-08-29

Hi Jefferson,

I have sent you a direct message, please check your inbox.

I would like to get more details about the behavior.

BR,

Shiran

Are you a member of CheckMates?

Ted.elg increased a lot