This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
abihsot__
Advisor
‎2019-04-25 07:36 AM

CVPND process consumes 100% CPU

Hi There,

 

I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error.

 

I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:

[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.]
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection

 

What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load.

 

R80.20 latest JHF

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2019-04-25 04:49 PM

My guess is this is related to Identity Awareness.
Do you have that enabled?
Version/JHF level?
0 Kudos
abihsot__
Advisor
‎2019-04-25 11:08 PM
In response to PhoneBoy

We do use identity awareness, but it is enabled on other gateways, but not on this one. However both gateways share the same management server.

 

The issue is present in R80.20 JHF47 and R80.20 kernel 3.10 Take11

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-26 08:36 AM
In response to abihsot__

Looks like a new issue that TAC will need to investigate. Even old TAC SRs didn't show similar messages. 

0 Kudos
abihsot__
Advisor
‎2019-04-26 11:23 AM
In response to PhoneBoy

Yes, I have TAC ticket also.

 

It is really strange and I hope that there is a setting which can force to skip matching roles if IA blade is disabled, but TAC is also struggling to understand this issue.

0 Kudos
Massimo_Manzato
Participant
‎2019-07-01 06:35 AM
In response to abihsot__

Same problem on R80.20 JHF 47(GA) or JHF87 (ongoing) with or without IA blade.

Someone have news regarding this?

 

Massimo

0 Kudos
abihsot__
Advisor
‎2019-08-06 02:32 AM
In response to Massimo_Manzato

Technical support have build a fix for this. Once I try it I'll let you know.

0 Kudos
abihsot__
Advisor
‎2019-11-14 11:46 AM
In response to abihsot__

Forgot to give feedback - the fix worked. 

0 Kudos
Massimo_Manzato
Participant
‎2019-11-27 03:14 PM
In response to abihsot__

In our case the problem was fixed removing all the network objects (groups in particular is a CPU consuming) from all the Roles

0 Kudos
abihsot__
Advisor
‎2019-11-28 03:34 AM
In response to Massimo_Manzato

Hello,

Can you clarify with an example? So you had access roles and just removed objects which were in "networks" section?

0 Kudos
ErikTorres
Participant
Wednesday
In response to abihsot__

Hello there,
@abihsot__ 
@Massimo_Manzato 

Could you give an example of the solution?
Was it a specific hotfix you installed?

I currently have a FW 9100 R81.20 JHT 92, this firewall ONLY does VPN mobile access, users connect by client and/or browser, when I installed policies, when I finish the installation the CVPND process is elvated between 80% and 85%, this makes the mobile access web portal stop responding and new users can't connect (users that were already connected have no problem).

Currently I've been months with tickets with TAC and they have not been able to solve the incident, I would like to know how they have managed to solve this problem.

Best Regards!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events