Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Checklist For the high flow CPU spike issue on the ASIC platform

0

0

Article ID: KB23957 KB Last Updated: 11 Dec 2012Version: 2.0
Summary:
This article provides a checklist for the high flow CPU spiking issue in a production environment.
Symptoms:
The CPU details can obtained via the following command:
#get perf cpu all detail
For example:
 
FWL20124(M)-> get perf cpu all detail
Average System Utilization: 16% (flow 21 task 2)
Last 60 seconds:
59: 41(66 5)* 58: 39(49 5) 57: 52(62 5)* 56: 56(66 7)*
55: 47(57 6) 54: 37(47 4) 53: 38(48 5) 52: 42(52 6)
51: 39(49 6) 50: 34(44 4) 49: 37(47 5) 48: 31(41 6)
47: 71(81 6)** 46: 37(47 5) 45: 45(55 5) 44: 38(48 5)
43: 45(55 6) 42: 68(78 7)* 41: 38(48 4) 40: 28(38 4)
The above output indicates that flow CPU is spiking.

Quick pointers to be checked
:

IF any specific change was performed:

  • In the network:

    It could be a new server deployment that is sending high amount of traffic on the device. Collect the required information (IP address) for this traffic.

  •  On the device:

    Any new policy push or any policy changes on the device. Additionally, check the output of get sat 0 d to check for Packets Per Second on the device:
    FW-A(M)-> get sat 0 d Current(7d;01:34:43) Last(7d;01:34:43) PPS(1431s)
    to_host_packet: 3497409747 3486028227 7950
    SYN/ACK: 57203009 57041455 110
    FIN: 105586510 105281059 210
    RST: 15537874 15503043 20
    OTHERS: 3319082355 3308202670 7600
    
    first_packet: 508865627 507795633 740
    brcst: 110322765 110302812 10
    no_ip_ether_net: 90168069 90154065 0
    sa_time_sec_expire: 1645 1645 0
    sa_inactive: 80412 80400 0
    ipsec_pak_replay: 3183 3183 0
    ipsec_auth_fail: 2214 2214 0
    seq_out_window: 43908313 43906270 0
    ttl_zero: 998 998 0
    ip_tlen_over_err: 5 5 0
    invalid_src_adr: 441 441 0
    invalid_protocol: 55 55 0
    udp_hdr_len_err: 26 26 0
    tcp_data_off_err: 28433 28433 0
    tiny_tcp_err: 3 3 0
    lan_attk: 2 2 0
    ping_of_death: 3 3 0
    tcp_chksum_err: 16689493 16689442 0
    udp_chksum_err: 58960 58960 0
    defragged_proc: 1871297 1869411 0
    total packet: 4269411692 4256922228 8720 
    CLSF counters:
    fragment pak 11328935 11327481 0
    unknown protocol 1841029 1840742 0
    icmp 54611784 54601528 0
Check list:

  • To host packets being pushed to the CPU. On the ASIC based (high end) platforms, packets should reach the CPU, when a session is created or an ALG is invoked.

  • In the above example, in the PPS counter, the OTHERS category of to_host_packet is almost 90% of the total traffic.

  • Any testing policy, which is set with the hardware session as off to check debugs, could trigger the firewall flow state; if traffic for this policy is too high.

  • Check if the configuration has any policy set with no-hw-sess:
    # get config | i no-hw-sess
    This parameter, when set at the policy level, will push all the traffic that matching this policy to the CPU and increase the load on it.
Cause:

Solution:
Unset no-hw-sess on the policy by using the following command:
#set policy id X , where X is the policy in question
#<Policy:X>unset no-hw-sess
#<Policy:X>exit
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search