Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EnriqueGD
Participant
Jump to solution

High CPU in only one core R77.30

Hello,

 

We are having performance issues on one machine, and we beliave that it´s due to high CPU utilization of one of the core:

 

1.- CPU 3 vary between 80-100% in a normal situation

 

| CPU: |
| |
| Num of CPUs: 4 |
| |
| CPU Used |
| 3 99% | <<<<<<<<<<<<<<<<
| 1 47% |
| 0 36%

 

[Expert@fw-extra-jc-02:0]# cpstat -f multi_cpu os

Processors load
---------------------------------------------------------------------------------
|CPU#|User Time(%)|System Time(%)|Idle Time(%)|Usage(%)|Run queue|Interrupts/sec|
---------------------------------------------------------------------------------
| 1| 4| 10| 85| 15| ?| 49|
| 2| 3| 2| 95| 5| ?| 49|
| 3| 3| 2| 96| 4| ?| 49|
| 4| 0| 94| 6| 94| ?| 49|  <<<<<<<<<<
---------------------------------------------------------------------------------

 

2.- We can se how the FW drops traffic due to the high CPU utilization:

Drops: |
| |
| Software Blades 2,121,406,315 |
| Interface incoming drops 5,107 |
| Instance high CPU 293,267 | <<<<<<<<<<<<<<<<<<<<<<<<<
| Rulebase 26,058,776 |
| Capacity 0 |
| SecureXL 0 |
| Drop out of state TCP enabled

 

3.- The affinity is as follow:

[Expert@fw-extra-jc-02:0]# fw ctl affinity -l -r
CPU 0: eth2 eth3 eth6 eth7 eth8 eth12 eth13
CPU 1: fw_2
CPU 2: fw_1
CPU 3: fw_0
All: fwpushd rtmd mpdaemon fwd vpnd cprid cpd

 

4.- The output of the fwaccel is as follow

[Expert@fw-extra-jc-02:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall 
disabled from rule #1427 <<<<<<<<<<<<<<<<<<<<<<<<<<<
Drop Templates : disabled
NAT Templates : disabled by user <<<<<<<<<<<<<<<<<<<<<<<<<<<

Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, Nac,
ViolationStats, AsychronicNotif, ERDOS,
NAT64, GTPAcceleration, SCTPAcceleration,
McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

 

<<< I can´t not understand why it sais that the "Accept Templates" are disabled by the rule 1427, bacause we don´t have so many rules defined.

<<< Is it recomendable to enabled NAT Templates?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

5.- Most part of the packets that the FW receives goes to the slow path. Is that percentage normal?

[Expert@fw-extra-jc-02:0]# fwaccel stats -s
Accelerated conns/Total conns : 357/4899 (7%)
Accelerated pkts/Total pkts : 60146117/347837617 (17%)
F2Fed pkts/Total pkts : 286984245/347837617 (82%) <<<<<<<<<<<
PXL pkts/Total pkts : 707255/347837617 (0%)
QXL pkts/Total pkts : 0/347837617 (0%)

 

Thank´s a lot in advance.

 

Regards,

Enrique.

0 Kudos
10 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events