Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3222
Views
0
Helpful
1
Replies

IPS 4240 high CPU

PAUL GILBERT ARIAS
Contributor
Contributor

‎08-26-2010 01:05 PM - edited ‎03-10-2019 05:06 AM

The customer has a IPS 4240 running version 7 and is experiencing high CPU utilization. It ranges between 80 and 100% of utilization. We disabled some alerts from some of the events we are getting but the issue remains. The customer has the IPS between the internet router and the ASA with a 20Mb internet connection. According to the customer the normal utilization is around 30%. The customer has rebooted the device a couple if times but the CPU spikes again. The memory utilization is low.

I would like to know if there are any troubleshooting steps we can follow or any information I can collect in order to find the cause of the issue.

I will appreciate any help.

Thanks.

Paul G

Here I am uploading some information.

Labels:
Preview file
4 KB
Preview file
32 KB
Preview file
6 KB
Preview file
52 KB
0 Helpful
1 Reply 1

Scott Fringer
Cisco Employee
Cisco Employee

‎08-30-2010 04:10 AM

Paul;

  In current releases of IPS software (starting with the release of the E3 analysis engine); high CPU in and of itself is not a good judge of sensor performance.  A better indicator is the "Inspection Load" (big speedometer on the home page).  This looks to be just over 10% in your attached screenshot.  The reaoning for this is a change in interface processing implemented in the E3 analysis engine.  From the release notes from the E3 release:

The E3 engine software contains changes from CSCsu77935.

The resolution of this defect modified the sensor's idle time algorithm,
applying additional CPU to polling of the NICs to decrease the polling
interval and reduce latency.  This results in the CPU usage being reported
higher than previous releases, including by external tools such as top and ps.
This additional CPU load can be noticed on single-CPU platforms, as well as the
primary CPU of multi-core systems.

Since the additional CPU load that is reported while polling is actually
available to process packets, and reduces as inspection load goes up, it does
not negatively affect the overall throughput of the IPS.  

The best indication of sensor load is shown under "Processing Load Percentage"
in the "show statistics virtual-sensor" command output and IME Home Page Dial.

  If there is indication of impact to traffic traversing  the IPS-4240, then it would be beneficial to open a service request with  TAC and provide the full output of 'sh conf' and 'sh tech' for review.

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents