This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco_Valenti
Advisor
‎2018-06-05 03:41 AM

Wa -IO-wait

Hey check mates

Sometimes on some old type of appliance from the top command you can see that one of the highest value is %wa causing high cpu load

Most of the time is a temporary issue that will auto resolve.

My question is if someone was bothered enough from that issue to find a way to discover wich process is causing high %wa or in his experience the time spent on resolving that is just wasted time Smiley Happy

Thanks

0 Kudos
11 Replies
Vladimir
Champion
Champion
‎2018-06-05 05:34 AM

Please check your memory utilization. If it is consistently high and you are swapping to disk, it may be better to simply upgrade the RAM on the appliance and, if they are in 32 bit mode, change them to 64 bit, to take advantage of it.

0 Kudos
Marco_Valenti
Advisor
‎2018-06-05 06:35 AM
In response to Vladimir

sadly was not a memory issue

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-06-05 12:22 PM
In response to Marco_Valenti

sadly was not a memory issue

Are you sure Marco Valenti?  Running free -m reports zero for swap utilization on the last line of the output?  Lack of RAM is by far the most common cause of high wa values on a gateway.  This can also potentially be caused by a runaway process, failing hard drive, or possibly enabling gateway features that incur a large number of process space trips (such as HTTPS Inspection), process space trips and what causes them are covered extensively in Chapter 10 of the second edition of my book.

The tool of choice for identifying other events that are causing high wa is iotop, but that tool is not available for the 2.6.18 kernel version that Gaia uses.

Be careful trying to observe different types of CPU utilization with Check Point tools like the SmartView Monitor and cpview/cpstat, as these tools tend to roll up us/ni into a single "User CPU" number and sy/si/hi/wa/st into a single "Kernel CPU" number.  I assume you are using top or sar to observe the high wa?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Marco_Valenti
Advisor
‎2018-06-06 12:16 AM
In response to Timothy_Hall

yep top was used for that case and it does not seem to be a memory issue at least for the last case that was brought to my attention

0 Kudos
RickHoppe
Advisor
‎2018-06-06 08:43 AM
In response to Timothy_Hall

Security Management R80.20 EA is running on kernel 3.10.0, so iotop is included in there (for future troubleshooting).


[Expert@FWMGMT:0]# fw ver
This is Check Point's software version R80.20 - Build 068

[Expert@FWMGMT:0]# uname -a
Linux FWMGMT 3.10.0-693cpx86_64 #1 SMP Tue Feb 6 12:13:02 IST 2018 x86_64 x86_64 x86_64 GNU/Linux

Security Gateway R80.20 EA is still running on kernel 2.6.18, so no iotop for now.

[Expert@GW2:0]# fw ver
This is Check Point's software version R80.20 - Build 068
[Expert@GW2:0]# uname -a
Linux GW2 2.6.18-92cpx86_64 #1 SMP Tue May 15 18:55:11 IDT 2018 x86_64 x86_64 x86_64 GNU/Linux

My blog: https://checkpoint.engineer
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-06-05 05:44 AM

Which appliance model ? Which CP version ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Marco_Valenti
Advisor
‎2018-06-05 06:38 AM
In response to G_W_Albrecht

gaia 4000 series r77.30

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-06-05 07:11 AM

can be be wait for disk access, I would check that too

High CPU utilization after upgrade to R77.30 

0 Kudos
Marco_Valenti
Advisor
‎2018-06-05 07:18 AM
In response to Kaspars_Zibarts

thanks , despite it is not an upgrade could be relevant anyway

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-06-05 07:41 AM
In response to Marco_Valenti

There are more articles if you search on io wait and r77.30 that was just to throw ideas in the air Smiley Happy

0 Kudos
Markus_Genser
Contributor
Contributor
‎2018-06-06 06:50 AM

As %wa is caused by disc usage and you checked the available memory if the gateway started swapping.

Did the GW lost the connection to the management server and had to log locally?

You can check $FWDIR/log/ for local logs.

Alternatively, what was the "top -S" output during when you noticed the high %wa, was gzip involved?

A classic would be a repeatedly crashing process with coredumps.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events