Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] With CPU protection enabled, why do drop counters increase even when utilization is less than the threshold?



Article ID: KB25962 KB Last Updated: 09 May 2013Version: 4.0
This article describes the issue of drop counters increasing with CPU protection being enabled, even though the utilization is less than the set threshold.
With CPU protection being enabled and the threshold set to 90%, the drop counters are increasing; even though the utilization is less than threshold. The command to enable CPU protection is set cpu-protection threshold 90.
FW-> get cpu-protection
Current usage: 44%, High CPU threshold: 90%
ID Src-IP Dst-IP Protocol Src-Port Dst-Port Drop Timeout
Class    Traffic       Drop        Pass
0        Critical      0           7849487
1        BC            0           34545
2        Non-first     0           561875
3        First         22321471   22991316
4        Other         0          81219

FW-> get cpu-protection
Current usage: 46%, High CPU threshold: 90%
ID Src-IP Dst-IP Protocol Src-Port Dst-Port Drop Timeout
Class    Traffic           Drop            Pass
0        Critical         0                7932142
1        BC               0                34894
2        Non-first        0                567178
3        First            22464716         23272478
4        Other            0                81916

This is expected behavior.

  • The firewall does not immediately stop dropping traffic, when CPU utilization goes below the threshold.

  • Rather, it uses an internal logic to gradually reduce the drop frequency and ultimately stops dropping packets, when the flow has stabilized.

  • The firewall maintains a drop frequency that indicates the number of packets to be dropped per 100 packets and it changes as per the flow.

  • This drop frequency is maintained internally and cannot be viewed on the firewall.

  • The calculation includes a combination of the following parameters:

    • Current utilization with respect to utilization during the last second.

    • CPU threshold.

    • The packets that are dropped during the last second.

  • In a production environment, it is not possible to predict the drop rate, as it will depend on the traffic flow.

Note: At times, it is also possible that the CPU usage is below the threshold due to packets being dropped by cpu-protection. So, actually the traffic is not below the threshold; rather, it is maintained below the threshold by dropping packets.

Note: See KB27138 for further detail on cpu-protection throttling.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search