High CPU load on ISE iPEP

Octavian Szolga · ‎06-28-2013

Hi,

I just configured two 3315 as iPEP HA pair in routed mode.

Two hours after setup I noticed in ISE Admin dashboard a ~70% CPU load on both iPEP nodes.

Are there any commands to investigate this strange behaviour giving the fact that the cluster isn't doing anything right now? Not processing any traffic?

I've tried every show pep command from iPEP directly but haven't found anything useful.

Octavian

Tarik Admani · ‎06-28-2013

Hi,

This is normal because the cpu process are managed by the click process so the virtualized router or bridge can operate in this unique mode. No need to worry as this is the same behavior and concept as the cisco nac server.

Thanks,

Sent from Cisco Technical Support iPad App

Marcin Latosiewicz · ‎06-29-2013

To maybe add to this.

While the "high" CPU might be expected, it's good to reliase:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuh46207

In some scenarios we saw routing loops introduced.

M.

Octavian Szolga · ‎06-30-2013

The bug you're reffering to isn't public yet and I can't access it.

In my case there's no routing loop or any loop whatsoever.

Octavian Szolga · ‎06-30-2013

Never heard of click process before, but anyway, if iPEP is just a router/switch virtualized, shouldn't the CPU be loaded when forwarding traffic? In my case, I wans't forwarding anything, it was idle. Maybe it wasn't designed with idle time like GNS3

Shaoqin Li · ‎06-29-2013

it is always prederred if you can post your ISE version and patch.

besides the bug, you can check what packets were coming causing high cpu.

if you are sending asa syslogs to mnt node, it might happen.

Sent from Cisco Technical Support iPad App

Octavian Szolga · ‎06-30-2013

Indeed, it is useful, but isn't iPEP a different OS installed on the same hardware?

Why else GRUB would be used as boot loader?

In my understanding iPEP software differes from ISE (ADE OS).

I'm using ISE 1.1.3 with patch 2 installed.

ipep1/admin# show ver

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.4.018

ADE-OS System Architecture: i386

Hostname: ipep1

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.3.124

Build Date : Thu Feb 7 08:55:38 2013

Install Date : Mon Jun 17 19:53:20 2013

Ravi Singh · ‎06-30-2013

ISE ships with a script in the /opt/CSCOcpm/bin directory that can be run using "./runjmxclient.sh locahost 1" on a PAP or PDP (or use TACtshoot patch command tac ise show profiler-stat)

. This script will dump information in CSV format every second. This CSV contains information showing the amount of endpoints being profiled every second.

Tarik Admani · ‎06-30-2013

Team,

This is a inline node (ipep) so it is safe to assume that the profling or the monitoring is not causing high cpu. This is a common known scenario back in the clean access server days - https://supportforums.cisco.com/thread/2012841

You can leverage the show processes command on the cli of the inline node to verify that this is the process that is at 99%.

Thanks,

Tarik Admani
*Please rate helpful posts*

Octavian Szolga · ‎06-30-2013

show process on iPEP doesn't show anything interesting like it would show on a router (cpu load per process and so on).

I'll get back with an output.

Octavian Szolga · ‎06-30-2013

Offtopic: How can one access ISE shell / linux cli?

Marcin Latosiewicz · ‎06-30-2013

root patch (like in ACS) or TAC patch.

And you should not get access unless something's badly broken, or that's the principle.