Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why is Flow CPU High, when Packet Per Second Rate is < 1000 pps on ISG and NS-5000 platforms?

0

0

Article ID: KB15921 KB Last Updated: 22 Jun 2010Version: 2.0
Summary:
Firewall experiences high flow CPU (90-100%), but the packet per second rate going to CPU is < 1000 pps.
Symptoms:
  • High Flow CPU (90-100%)
  • Significantly high Task CPU (50-80%)
  • get sat or get asic demux shows pps rate < 1000 pps
Solution:
Usually, high flow CPU utilization can be a result of a large pps rate going to the CPU.  However, there are cases where high flow CPU can occur due to policy installation and policy ordering. 

Policy Installation

When address objects in a policy are used that require DNS resolution (e.g.  An address book object defined by a Fully Qualified Domain Name, or FQDN), when the TTL for that object counts down, a DNS refresh is required.  When this operation occurs, the policy needs to be re-installed back into memory.  If the TTL is very small, and the policy is accessed very frequently, this can cause high flow CPU, even though the PPS rate is very low. 

For more details on this, please refer to KB14458 - Packet Drop Intermittently Due to Rapid DNS Refresh and Policy Re-Install

This issue can be addressed by upgrading to ScreenOS 6.3.0 or higher.  This has an enhancement to the way policy installations are done.

Policy Ordering

If one particular policy is accessed very frequently, and it is positioned near the end of a policy list, this could cause high flow CPU condition.  One workaround for this problem is to move the most frequently access policies to the top of the list (if possible).  Another solution to this problem is to use swrs. 

For more information on swrs, please refer to KB12695 - Hardware Rule Search (RMS) and Software Rule Search (SWRS) on High-end Firewall Platforms

To enable swrs:
set policy swrs
reset

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search