Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
andersplarsson
Participant

Troubleshooting High CPU usage on R73.30 JHF Take 351

Hi,

Have a gateway running R73.30 JHF Take 351 on an 1200-Appliance with high CPU usage since a few moths back and just need to figure out what is causing the high load and see what can be done about it.

It runs at the moment with an average of 29% load on all CPUs but some of them are more used than others.  Previous we had an average of 8-10% utilization.  

Here is some stats:

F1011MNS> cpstat -f multi_cpu os

 

Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
| 1| 4| 52| 45| 55| ?| 53468|
| 2| 3| 37| 61| 39| ?| 53470|
| 3| 0| 22| 78| 22| ?| 53471|
| 4| 1| 22| 78| 22| ?| 53472|
| 5| 1| 22| 78| 22| ?| 53473|
| 6| 1| 20| 80| 20| ?| 53475|
---------------------------------------------------------------------------------

 

F1011MNS> fwaccel stats -s
Accelerated conns/Total conns : 70677/90572 (78%)
Delayed conns/(Accelerated conns + PXL conns) : 25202/70761 (35%)    <<<<< what does this mean?
Accelerated pkts/Total pkts : 24358499405/27912500747 (87%)
F2Fed pkts/Total pkts : 3534173814/27912500747 (12%)
PXL pkts/Total pkts : 19827528/27912500747 (0%)
QXL pkts/Total pkts : 0/27912500747 (0%)

 

Just need some good advice how to proceed and see if something can be done about this without an upgrade to R80.X.

 

Best Regards,

Anders Larsson 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

R77.30 is very much End of Support and you really should look at upgrading this gateway.

Delayed connections: Connection created from SecureXL Connection Templates without notifying the Firewall for a predefined period of time. The notified connections are deleted by the Firewall.
Not entirely indicative of a problem.
The following SK may be helpful: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The vast majority of the connections/packets are being accelerated, which is a good thing.
It's possible you may be able to increase this somewhat, but it may just be that the overall traffic the gateway is handling has increased.
Output of the Super Seven commands will probably be helpful to dig into this more: https://community.checkpoint.com/t5/Scripts/S7PAC-Super-Seven-Performance-Assessment-Commands/m-p/40... 

the_rock
Mentor
Mentor

Agreed. Also, maybe do some basic commands just to see what it shows...cpview, top, ps -auxw? Any idea when this happened exactly? I know you said few months back, but any major changes done? TAC support for R77.30 would ve literally non existent. Shoot me private message and maybe I can help you via remote session.

Andy