Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Specialist

CVPND process consumes 100% CPU

Hi There,

 

I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error.

 

I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:

[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.]
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection

 

What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load.

 

R80.20 latest JHF

 

0 Kudos
Reply
9 Replies
Highlighted
Admin
Admin

My guess is this is related to Identity Awareness.
Do you have that enabled?
Version/JHF level?
0 Kudos
Reply
Highlighted
Specialist

We do use identity awareness, but it is enabled on other gateways, but not on this one. However both gateways share the same management server.

 

The issue is present in R80.20 JHF47 and R80.20 kernel 3.10 Take11

0 Kudos
Reply
Highlighted
Admin
Admin

Looks like a new issue that TAC will need to investigate. Even old TAC SRs didn't show similar messages. 

0 Kudos
Reply
Highlighted
Specialist

Yes, I have TAC ticket also.

 

It is really strange and I hope that there is a setting which can force to skip matching roles if IA blade is disabled, but TAC is also struggling to understand this issue.

0 Kudos
Reply
Highlighted

Same problem on R80.20 JHF 47(GA) or JHF87 (ongoing) with or without IA blade.

Someone have news regarding this?

 

Massimo

0 Kudos
Reply
Highlighted
Specialist

Technical support have build a fix for this. Once I try it I'll let you know.

0 Kudos
Reply
Highlighted
Specialist

Forgot to give feedback - the fix worked. 

0 Kudos
Reply
Highlighted

In our case the problem was fixed removing all the network objects (groups in particular is a CPU consuming) from all the Roles

0 Kudos
Reply
Highlighted
Specialist

Hello,

Can you clarify with an example? So you had access roles and just removed objects which were in "networks" section?

0 Kudos
Reply