CPU 4 HIgh CPU use

lobsang.grajales1 · ‎10-21-2016

Hi, we have two devices on HA scheme, both are showing constantly showing high cpu usage, and in both devices we see the same cpu (#4):

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9784 sfsnort 20 0 6124m 1.7g 16m R 99 1.6 574:55.13 snort

we want to know if is possible to restart the process snort, and how to accomplish this.

Oliver Kaiser · ‎10-27-2016

Snort is the IPS running on firepower. Depending on your firewall model the number of snort processes varies.

To understand why this process is at 100% you might want to understand traffic forwarding on the firepower module. Based on a hash (5-tuple) traffic is being processed by a specific snort process, which uses one assigned CPU.

In case you have an elephant flow (large amounts of data being sent/received over a single session) this might lead to high load on a specific CPU. This is by itself not an issue but might lead to performance degradation for other sessions.

If you want to restart snort you will most likely encounter some traffic loss so keep this in mind and do not casually restart it at 09:00 am on your active firewall. ;)

Procedure to restart snort (on sfr module / ftd)

> expert

admin@firepower:~$ sudo pmtool restartByType snort

Try to identify the flow causing the high load (backup/ftp traffic?) and exclude it from inspection by either using a pre-filter policy (FTD) or excluding it from inspection using your service-policy (asa with firepower services)

Let me know if this answers your question