We're currently experiencing this in a 5200 appliance running on the said version and JHF on the post.

Management and GW are separate machines.

Do take note we also tried changing the values on cpprod_util FwGetParam CP_INSTALL_POLICY_MT_LIMIT to 2, but still experience the same behavior.

You may refer to this video on my attempt in pushing a policy:

Just about to make breakfast, will check it in a bit.

Cheers,

Andy

Hello @the_rock, 

Unfortunately ticking disabled accelerated policy install still shows the same issue.

Here's the screenshot from the command top when pushing a policy:

Sorry for the late revert as I just came back from a long week out of work.

No worries, hope you are okay! Health ALWAYS first, always, before anything else. 

Hey, just wondering, have you tried rebooting the fw? If so, did it make any difference?

Andy

Hello @the_rock,

I just did earlier but experienced the same thing after pushing a policy.

How do you have Identity Awareness configured on this system?  Two instances of pdpd are consuming gigantic amounts of processing time on your 2 CPUs.  My guess is that you have AD Query configured on a domain with much greater than 250 users; if so you should be using the identity collector software to handle this.  Try unchecking Identity Awareness on your gateway and execute a couple of policy installs, does the problem go away?

Hello @Timothy_Hall, I have both Identity Collector and AD Query enabled for this. But do keep in mind that before we experienced this, at R80.40, we are able to enable both and not encounter the issue. I just tried disabling identity awareness as well, but I still experience the same issue.

Generally both should not be enabled at the same time.

ADQuery is legacy and is replaced by IDC.

Hello @Chris_Atkinson,

But then again, the same behaviour is experienced even after disabling the Identity Awareness blade.

Understand and though it might be a contributing factor I did not state it as the cause for this issue just that it shouldn't be that way.

Please provide the outputs of the Super Seven and enabled_blades.  The classic symptom of an overloaded gateway is loss of traffic during a policy push, which is easy to cause on a 2-core system by enabling too many blades while passing a lot of traffic.

I see what Chris is saying, but in your case, appears that would not be an issue. Hey, just wondering, have you tried maybe disabling IA blade, install policy, re-enable and install again?

Andy

Hello @the_rock,

I have attempted this earlier as what @Timothy_Hall, suggested, but still experienced the same issue even after that.

Some questions and please forgive me if some of them were answered before.

1) When did this issue originally happen?

2) Any changes done just before the problem started?

3) Any way version can be upgraded to R81.20 jumbo 89 (recommended)?

4) Was there ever TAC case opened for this?

Andy

Hello @the_rock,

No worries, the answers are below:

1) When did this issue originally happen? We happen to notice it right after we upgrade to R81.10. Prior to this on R80.40 everything is working fine

2) Any changes done just before the problem started? The change I think that we did was we attempted to HA the appliance when our RMA arrived, but it failed so we reverted back to, right after that the behavior started.

3) Any way version can be upgraded to R81.20 jumbo 89 (recommended)? If we can push this through, I just want to confirm: can we keep our external firewall at R81.10 for the mean time while we upgrade our Smart-1 appliance and the problematic internal firewall to R82.10?

4) Was there ever TAC case opened for this? So far no, as 1. We need to contact our local distributor first, and they will be the one that will create the ticket on our behalf, which takes a lot of time, that's why as much as possible we're trying to troubleshoot it with the available resources that we have.

K, thank you for providing those details, that clears some things I was not sure about.

Yes, I would absolutely upgrade to R81.20 if you can and yes, while its not recommended to have cluster members on different versions, I had seen people do it, but personally, I would NOT suggest you do that for more than few days. Maybe best over say one weekend, and possibly monday-tuesday to make sure.

Andy