- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: CVPND process consumes 100% CPU
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CVPND process consumes 100% CPU
Hi There,
I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error.
I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.]
[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection
What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load.
R80.20 latest JHF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have that enabled?
Version/JHF level?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do use identity awareness, but it is enabled on other gateways, but not on this one. However both gateways share the same management server.
The issue is present in R80.20 JHF47 and R80.20 kernel 3.10 Take11
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like a new issue that TAC will need to investigate. Even old TAC SRs didn't show similar messages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have TAC ticket also.
It is really strange and I hope that there is a setting which can force to skip matching roles if IA blade is disabled, but TAC is also struggling to understand this issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem on R80.20 JHF 47(GA) or JHF87 (ongoing) with or without IA blade.
Someone have news regarding this?
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technical support have build a fix for this. Once I try it I'll let you know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to give feedback - the fix worked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In our case the problem was fixed removing all the network objects (groups in particular is a CPU consuming) from all the Roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can you clarify with an example? So you had access roles and just removed objects which were in "networks" section?