PIX - High CPU load issue

Thomas Panicker · ‎03-14-2013

Hi ,

My PIX CPU load was normally 30 - 35% and suddenly it got peaked to more than 90%. I did a comparison of CPU process (taken at two intervals of time). Please see the below comparison results of CPU Process:

Process Name	Δ Runtime
IKE Receiver	300
vpnfol_thread_unsent	6465
IP Thread	2881
listen/ssh	1
fover_rep	206
fover_serial_tx	291
listen/https	40
lu_ctl	28
tcp_slow	474
udp_thread	301
e	1091
vpnlb_ti	609
uauth_urlb clean	5
EAPoUDP-sock	2
fover_thread	1
qos_	431
557	479
vpnfol_thread_ti	1386
IKE Ti	2905
route_process	29
fover_FSM_thread	1
fover_health_	14703
SSL	15
fover_ifc_test	11
ssh/ti	6
tcp_thread	520
IP Background	148
NIC status poll	911
udp_ti	6
ssh	14
arp_ti	3427
update_cpu_usage	2791
tcp_fast	995
ppp_ti	101
ic	479
t	3431
IP Address Assign	3
Dispatch Unit	34007507
vPif_stats_cleaner	9
Logger	689216
ha_trans_ctl_tx	616
ci/console	1096
sn	3806
IPsec	50
fover_serial_rx	3312
PIX Garbage Collector	1274
IKE Dae	1325
Checkheaps	28874
fover_ip	83
SNMP Notify Thread	5319
aaa	32
fover_parse	1831
fover_tx	136
Session Manager	73
CTM	8591
p	566
fover_rx	1053
NTP	2066
RADIUS Proxy Listener	1
ARP Thread	17271

Seeing the above i have disabled Syslog, but still issue exist and also not sure of the dispatch unit process showing. Also I ahve noticed that there is no output for the command " sh processes cpu-hog".

Also in the "show interface" command i could see errors in the inside and outside interfaces. Please see the below;

# sh interface
Interface Ethernet0 "outside", is up, line protocol is up
99282 input errors, 0 CRC, 0 frame, 99282 overrun, 0 ignored, 0 abort

Interface Ethernet1 "inside", is up, line protocol is up
603003 input errors, 0 CRC, 0 frame, 603003 overrun, 0 ignored, 0 abort

Could anyone PLEASE provide some suggestion on what might be the problem and how to troubleshoot further ?

Thanks

jocamare · ‎03-15-2013

If you clear the interfaces, do the errors keep increasing? If so, at what rate?

Have you tried to reload the unit?

Thomas Panicker · ‎03-16-2013

Hi Jocamare,

Thanks for the check. After your comment I did a interface reset and after the same while checked found there is no input errors. Monitored the same more than one hour but still the input errors are 0. I believe this might be due to disabling the logging option.

Yes, during high CPU utilization i have tried reloading the PIX firewall. But it didn't fixed the issue. Some how it came down after few hours (may be 1.5 - 3hrs). I have did a comparison of CPU process and the runtime. Please see the below comparison output;

Process Name	Δ Runtime
IKE Receiver	1
vpnfol_thread_unsent	139
IP Thread	346
fover_serial_tx	19
listen/https	1
tcp_slow	124
udp_thread	11
e	26
vpnlb_ti	20
EAPoUDP-sock	1
qos_	130
557	12
vpnfol_thread_ti	23
IKE Ti	82
route_process	2
fover_health_	1003
SSL	1
ssh/ti	3
tcp_thread	443
IP Background	44
NIC status poll	320
VAC+ rando	2
ssh	3843
arp_ti	98
update_cpu_usage	203
tcp_fast	279
ppp_ti	4
ic	2
Dispatch Unit	340659
vPif_stats_cleaner	1
ha_trans_ctl_tx	16
ci/console	27
sn	345
fover_serial_rx	107
PIX Garbage Collector	28
IKE Dae	32
Checkheaps	10569
fover_ip	12
aaa	1
fover_parse	63
fover_tx	12
Session Manager	14
CTM	154
p	24
fover_rx	34
NTP	58
ARP Thread	311

Seeing the CPU runtime above, is there anything need to be checked in the configuration ?

Regards,

Thomas

mabuarja · ‎03-16-2013

hi,

if the high cpu re-occurs, try to "clear traffic" , and "show traffic" after few seconds , and try to do this (clear/show traffic) many times.

after that you can sum the transmitted & received Mbps and compare the results with the throughput limit value mentioned in the device specifications , as the device might be loaded .

Regards,

Mohammad

Thomas Panicker · ‎03-17-2013

Hi mohammad,

Thank you for the suggestion. Will do the same and update soon.

Regards,

Thomas

jocamare · ‎03-17-2013

Mind sharing the configuration from the PIX? The idea is to determine if any of the enabled features might be causing the problem.