Solved: FMC CPU keeps ramping up

00u18jg7x27DHjRMh5d7 · ‎07-28-2023

I have installed FMC on an ESXI server, and it has been fine for a few months. Now over the last 2 months the CPU’s will spike and FMC becomes un-reachable. The FMC is not being used in full production yet, so it doesn't have a lot of traffic. I have added CPU’s and Cores well over what is required and added memory still all CPU’s spike to 100% and stay like that until I restart the FMC. Anyone have any suggestions of what could be causing this? I don't want to put into production until this is solved.

rhingel · ‎07-31-2023

I suggest you to gather the information above, also generate a troubleshoot file from FMC and open a TAC case, you can ask the TAC engineer to check the core files, they may need cleanup.

If you are curious (like me) and want to check if you have core files to be cleaned, the example below shows the output with no core files:

Cisco Secure Firewall Management Center for VMware v7.2.4 (build 169)
> expert
sudadmin@fmc:~$ sudo su
Password: 
Last login: Mon Jul 31 18:12:07 UTC 2023 on pts/0
root@fmc:/Volume/home/admin# cd /var/common/
root@fmc:/var/common# ls -ltr | grep core
root@fmc:/var/common#

View solution in original post

rhingel · ‎07-29-2023

Hello,

What is the FMC version you are running? From the GUI, try clicking on the and then go to Health > Monitor. From there, click on the FMC on the left panel and you will see something similar to the screenshot below.

You can click on the right icon beside the FMC hostname where, in my case, it says "Normal", a popup will come up and you can click on the "Run All" to check if you have any alerts.

Another thing to do is to log on the FMC CLI and check the database health. Type expert, sudo su, enter your password and then run DBCheck.pl. The output below shows a healthy database, you can see from the last message in the bottom.

Cisco Secure Firewall Management Center for VMware v7.2.4 (build 169)
> expert
admin@fmc:~$ sudo su 
Password: 
Last login: Sun Jul 30 01:45:04 UTC 2023 on pts/0
root@fmc:/Volume/home/admin# DBCheck.pl 
running database integrity check with the following options:
- use exception directory /usr/local/sf/etc/db_exceptions
- check refererences
- check enterprise objects
- check schema
- check required data
- log to stderr
getting filenames from [/usr/local/sf/etc/db_updates/index]
getting filenames from [/usr/local/sf/etc/db_updates/base-7.2.4]
************ Applying dynamic update files ************
Dynamic update files directory: /usr/local/sf/etc/dynamic_db_updates
Applying file remove_ref_check_rna_ip_os_map.yaml.
               Status: Success.
Applying file rule-comments.yaml.
               Status: Success.
************ Applying dynamic update files finished ************
getting exceptions from [/usr/local/sf/etc/db_exceptions/db_exceptions.yaml]
getting exceptions from [/usr/local/sf/etc/db_exceptions/current_user_ip_map_exception.yaml]
[Sun Jul 30 01:45:11 2023][INFO]   [-] DBCheck running with 7.2.4 as CURRENT VERSION.
[Sun Jul 30 01:45:13 2023][INFO]   [current schema]          database [mysql], table [fireamp_event_template], Checking using current schema.
[Sun Jul 30 01:45:14 2023][INFO]   [current schema]          database [mysql], table [event_extra_data_template], Checking using current schema.
[Sun Jul 30 01:45:14 2023][INFO]   [current schema]          database [mysql], table [file_event_template], Checking using current schema.
[Sun Jul 30 01:45:14 2023][INFO]   [current schema]          database [mysql], table [rna_flow_stats_prioritized_template], Checking using current schema.
[Sun Jul 30 01:45:14 2023][INFO]   [current schema]          database [mysql], table [rna_flow_stats_template], Checking using current schema.
[Sun Jul 30 01:45:16 2023][INFO]   [current schema]          database [mysql], table [flow_chunk_template], Checking using current schema.
[Sun Jul 30 01:45:16 2023][INFO]   [current schema]          database [mysql], table [packet_log_template], Checking using current schema.
[Sun Jul 30 01:45:16 2023][INFO]   [current schema]          database [mysql], table [rua_event_template], Checking using current schema.
[Sun Jul 30 01:45:17 2023][INFO]   [current schema]          database [mysql], table [event_template], Checking using current schema.
[Sun Jul 30 01:45:18 2023][INFO]   [current schema]          database [mysql], table [rna_event_template], Checking using current schema.
[Sun Jul 30 01:45:32 2023][INFO]   database [mysql], table [current_user_ip_map], index [netmap_num_ipaddr], unique [no], columns [netmap_num,ipaddr]
[Sun Jul 30 01:45:32 2023][INFO]   [-] checking EventDB tables
[Sun Jul 30 01:45:33 2023][INFO]   [-] done checking EventDB tables (took 1 seconds)
After Checking DB, Warnings: 0, Fatal Errors: 0

Finally, I recommend opening a Cisco TAC case and upload the information you collected previously, don't forget to upload the troubleshoot file (see this link if this is your first time: https://www.cisco.com/c/en/us/support/docs/security/sourcefire-defense-center/117663-technote-SourceFire-00.html).

00u18jg7x27DHjRMh5d7 · ‎07-31-2023

Thanks for the information I will take a look today. See if anything stands out.

00u18jg7x27DHjRMh5d7 · ‎07-31-2023

Ok so This is what I got. Not sure what the error represents??

Checking eventdb.fileevent_template against the current schema.
After Checking DB, Warnings: 3, Fatal Errors: 0

rhingel · ‎07-31-2023

I suggest you to gather the information above, also generate a troubleshoot file from FMC and open a TAC case, you can ask the TAC engineer to check the core files, they may need cleanup.

If you are curious (like me) and want to check if you have core files to be cleaned, the example below shows the output with no core files:

Cisco Secure Firewall Management Center for VMware v7.2.4 (build 169)
> expert
sudadmin@fmc:~$ sudo su
Password: 
Last login: Mon Jul 31 18:12:07 UTC 2023 on pts/0
root@fmc:/Volume/home/admin# cd /var/common/
root@fmc:/var/common# ls -ltr | grep core
root@fmc:/var/common#