Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
abihsot__
Advisor

CVPND process consumes 100% CPU

Hi There,

 

I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error.

 

I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:

[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.]
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection

 

What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load.

 

R80.20 latest JHF

 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

My guess is this is related to Identity Awareness.
Do you have that enabled?
Version/JHF level?
0 Kudos
abihsot__
Advisor

We do use identity awareness, but it is enabled on other gateways, but not on this one. However both gateways share the same management server.

 

The issue is present in R80.20 JHF47 and R80.20 kernel 3.10 Take11

0 Kudos
PhoneBoy
Admin
Admin

Looks like a new issue that TAC will need to investigate. Even old TAC SRs didn't show similar messages. 

0 Kudos
abihsot__
Advisor

Yes, I have TAC ticket also.

 

It is really strange and I hope that there is a setting which can force to skip matching roles if IA blade is disabled, but TAC is also struggling to understand this issue.

0 Kudos
Massimo_Manzato
Participant

Same problem on R80.20 JHF 47(GA) or JHF87 (ongoing) with or without IA blade.

Someone have news regarding this?

 

Massimo

0 Kudos
abihsot__
Advisor

Technical support have build a fix for this. Once I try it I'll let you know.

0 Kudos
abihsot__
Advisor

Forgot to give feedback - the fix worked. 

0 Kudos
Massimo_Manzato
Participant

In our case the problem was fixed removing all the network objects (groups in particular is a CPU consuming) from all the Roles

0 Kudos
abihsot__
Advisor

Hello,

Can you clarify with an example? So you had access roles and just removed objects which were in "networks" section?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events