CPU utilization is extremely high on the Juniper Firewall, what is triggering the High CPU situation?
Problem or Goal:
Packets passed to, through, or processed by the firewall could use the CPU. The firewall will start to experience problems if the CPU begins to reach 85%. The symptoms include:
High CPU utilization
Poor system or throughput performance
OSPF adjacencies or BGP peering is failing
Device management is slower than normal
Ping to the management interface times out
Firewall is not passing traffic
The 'in overrun' counter (get counter stat) could increment.
To Troubleshoot a High CPU situation
Check the CPU Utilization
The CPU utilization is calculated based on two entities: Flow and Task. CPU utilization is defined as the percentage of time CPU spends on processing, instead of sitting idle. When CPU utilization is high, it means it is busy processing network traffic, but it does not mean it cannot keep up and will start dropping packets. CPU utilization is only a measure of network load through the firewall, not the throughput of the box itself.
Note: On all firewall appliance devices (NetScreen-5, 25, 50, 204, 208, and SSG Series), there is 1 CPU used for processing. On ASIC based hardware firewalls (NS-5000, ISG devices) there are two CPU’s; one dedicated for flow and the other dedicated for task.
The CLI command get perf cpu detail will show an overview of the CPU percentage, with the last 1 minute broken down into average CPU during single second segments:
Average system utilization is the average CPU utilization for the last 24 hrs. Example, if the system up time is 48 hrs and 18 minutes, then the average system utilization is the average CPU utilization in the last 24 hours, excluding that 18 minutes.
If system up time is less than 24 hrs but greater than 1 hr, it will be average utilization up to last hour. Example, if system is up 10 hr 40 minutes, the average system utilization is the cpu utilization in 10 hrs (excluding 40 minutes).
If system up time is less than 1hr, (for example, 34 minutes 26 seconds), then average utilization is the cpu utilization in last 34 minutes (excluding 26 seconds).
If system up time is less than 1 minute, example 48 seconds, then average utilization is computed over that 48 seconds.
Determine if the High CPU is caused by Flow or Task
The command get perf cpu all detail lists the utilization history of the CPU by Flow and Task. The first number within the parenthesis refers to the Flow CPU, and the second number represents the Task CPU.
A single asterisk * indicates the CPU is nearing a warning threshold. It is marked when utilization is ≥ 50% & ≤ 70%.
Double asterisks ** indicates to the administrator that CPU is nearing a high level; the administrator should investigate the cause of why CPU is nearing this level. It is marked when utilization ≥ 70% & ≤ 85%.
Triple asterisks *** indicates the CPU utilization is high; the administrator should investigate the cause of why CPU is high. It is marked when utilization is ≥ 85%.