Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] High flow CPU on ISG/NS due to TCP Syslog

0

0

Article ID: KB32330 KB Last Updated: 14 Dec 2017Version: 1.0
Summary:

This article discusses a scenario where ISG/NS experienced high CPU due to TCP syslog using port 514.

Symptoms:

ISG/NS experienced high CPU where fprofile shows most packets are TCP and dst port 514.

Output of Fprofile:

fa01(M)-> get fprofile packet 
packet buffer size(in kilo-packets): 64
total ip packet: 65298
total ip packet time(us): 9360348
total none-ip packet: 238
total none-ip packet time(us): 14041
    Id  Type   Protocol   Source       Destination    Sport    Dport    Time      Percentage
     1  ip     0x06       64.54.X.X    10.1.X.X       38822    514      1985951   21.18%     
     2  ip     0x06       10.34.X.X    64.54.X.X      42974    514      883775    9.42%    
     3  ip     0x06       10.34.X.X    64.54.X.X      40534    514      860211    9.17%    
     4  ip     0x06       10.34.X.X    64.54.X.X      41748    514      800911    8.54%    
     5  ip     0x06       10.34.X.X    64.54.X.X      33361    514      798940    8.52%   
 

As shown in the output, most packets that are consuming the CPU are TCP 514.

Cause:

This happens due to the fact that TCP syslog protocol does not have any predefined port number (refer to the Related Links section below for more details). Typically, port 514 is used for TCP as well, since we use it for UDP. However, port TCP 514 comes under RSH port range and the ScreenOS firewalls are fitted with RSH ALG to intercept the protocol data and act accordingly.

By design, only the parent connection of the ALG traffic goes to the CPU and traffic for the child connection will be processed by the ASIC. However, since this case it is not really RSH traffic, there will never be any child sessions. All the traffic falls on the parent connection will keep on consuming CPU resources since the ASIC thinks that more processing is needed from the CPU side for the child session creation.

 

Solution:

Disable RSH ALG
Keep the ALG enabled and force the firewall to not invoke ALG on the RSH port range, so one of the solutions can be to disable the ALG:

#unset alg RSH enable


OR
 

Use another port for TCP Syslog
Alternatively, you can use a different port number which does not overlap with the RSH for the TCP Syslog to avoid this issue.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search