Solved: Cisco Firepower 4110 FTD LINA High CPU Utilization

fabc1 · ‎08-10-2021

Hi guys,

I have read on Cisco Support Doc they mentioned that not to worry about LINA consumed high CPU as it is normal because the LINA process is constantly polling the Network Interface Cards (NICs) for input traffic. In short, the LINA process utilization can be safely ignored (reference: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200950-Clarifying-the-Firepower-Threat-Defense.html).

However, i wonder if it is normal when our FTD 4110 Site2 Tenant (39) is lesser than FTD Site1 tenant (244) but LINA consumed high memory usage on Site2 compared to Site1. For your information we setup it as active/active cluster for our FTD 4110 model. Lina usage for both FTD as per in the attachment.

Cisco Fire Linux OS v6.6.1-14
Cisco Firepower 4110 Threat Defense v6.6.1-91

Appreciate your insights. Thanks!

Milos_Jovanovic · ‎08-10-2021

Hi @fabc1,

Lina engine is legacy ASA code. I would advise use of the command 'show processes cpu-usage sorted non-zero' command to check for processes using that CPU. If you find that ones spending most CPU are processes starting with 'DATAPATH', this means that basic L3/L4 forwarding is eating up your resources. In other words, it is an usage in your network due to traffic passing your FW devices.

Is it normal for Site2 to have higher CPU utilization then Site1 - it really depends on your sites, allocation of contexts in active/active setup and the traffic behind those. If you have 10 users sitting in Site2, but they are doing some heavy copying of data (as compared with Site1 which has plenty of users, but are just doing normal app usage), this has to be expected.

BR,

Milos

View solution in original post

Milos_Jovanovic · ‎08-10-2021

Hi @fabc1,

Lina engine is legacy ASA code. I would advise use of the command 'show processes cpu-usage sorted non-zero' command to check for processes using that CPU. If you find that ones spending most CPU are processes starting with 'DATAPATH', this means that basic L3/L4 forwarding is eating up your resources. In other words, it is an usage in your network due to traffic passing your FW devices.

Is it normal for Site2 to have higher CPU utilization then Site1 - it really depends on your sites, allocation of contexts in active/active setup and the traffic behind those. If you have 10 users sitting in Site2, but they are doing some heavy copying of data (as compared with Site1 which has plenty of users, but are just doing normal app usage), this has to be expected.

BR,

Milos

fabc1 · ‎08-22-2021

Dear Milos,

I have additional question on this. Would like to know if the memory keep increasing to 100%, what will happen to FTD?

We have situation last year which the FTD hang and unable to switch to secondary. May I know is this similar issue with the one that we are discussing right now? Thanks!

Milos_Jovanovic · ‎08-22-2021

Hi @fabc1,

Memory utilisation of 100% is definitely not regular, and I've never seen this on FPR4100 devices. If it reaches that point, I would say it will behave unpredictably.

I would advise to upgrade to recommended SW version, as there are couple of bugs related to memory leak, which may help with behavior you seen too. Apart from FTD, make sure you upgrade FXOS and firmware too.

BR,

Milos

fabc1 · ‎08-23-2021

Dear Milos,

Thank you for your advice. When we execute command >show memory details, we noticed that under Used Memory, Global Shared Pool is the highest for the memory usage, 63%. Is this normal behaviour?

Previously, we faced memory issue on secondary unit fw, the box hang and bring down the entire network as it failed to failover. May i know if there's known bugs regarding this matter? I am still pending on the next action or workaround to proceed with this issue. truly appreciate your advice to. Thanks again!

Milos_Jovanovic · ‎08-23-2021

Hi @fabc1,

Again, what appears to be normal for one setup, is not necessaruly normal for another, so there is no final answer on this. If you susspect that your memory might be high, I would advise opening TAC case, so they can assess it properly. Either way, I would go for an upgrade, as that is most likely TAC will recommend first, as you are not running recommended release.

Regarding bug details, you can find them in release notes.

BR,

Milos