4040
閲覧回数
0
いいね!
0
コメント
オプション
- RSS フィードを購読する
- 新着としてマーク
- 既読としてマーク
- ブックマーク
- 購読
- 印刷用ページ
- 不適切なコンテンツを報告
2015-05-27
09:17 PM
- 最終編集日:
2023-12-20
01:59 PM
、編集者:
JapanTAC_CSC
CPU Profile とは
ASAのCPU高負荷問題の解析の為に、Cisco Technical Assistance Center(TAC)より、CPU Profileの取得をお願いさせて頂く事があります。その際は、以下を参考にご取得いただけますでしょうか。
CPU Profileは、定間隔毎のProgram Counter(PC)のキャプチャであり、私達Cisco TACが、どのプロセスが どの程度CPUを使用しているか調査を行う上で役立ちます。
CPU Profile取得に伴う、大きなCPU負荷上昇は想定しておりません。
収集するサンプル数が多くなるほど、収集時間と結果のアウトプット量が増加します。その為、高速なTelnetやSSH経由で取得してください。
CPU Profile 取得方法
以下のいずれかの方法で取得してください。
1. 即時取得を行う場合
- CPU高負荷事象が継続し発生している環境に向きます
- "cpu profile activate"コマンド
- デフォルトのサンプル数は1000
asa(config)# cpu profile activate
Activated CPU profiling for 1000 samples.
Use "show cpu profile" to display the progress or "show cpu profile dump" to interrupt profiling and display the incomplete results.
2. 指定のサンプル数の収集を行う場合
- サンプル数を増やすほど、収集時間と結果のアウトプット量が増加しますが、調査精度が高まります
- "cpu profile activate <sample数>"コマンドで指定
- 以下は5000サンプルを収集時
asa(config)# cpu profile activate 5000
Activated CPU profiling for 5000 samples.
Use "show cpu profile" to display the progress or "show cpu profile dump" to interrupt profiling and display the incomplete results.
3. トリガーを指定する場合
- 不定期にCPU高負荷が発生する環境に向きます
- "cpu profile activate <sample数> trigger cpu-usage <CPUパーセント>"コマンドで指定
- 以下はCPU 40%以上になった場合に、Criticalのシスログメッセージ出力を伴い、CPU Profileの収集を開始するコマンド
##有効化時## asa(config)# cpu profile activate 1000 trigger cpu-usage 40 Activated CPU profiling for 1000 samples. Use "show cpu profile" to display the progress or "show cpu profile dump" to interrupt profiling and display the incomplete results. asa(config)# logging message 711006 level critical ##CPUが40%超過時## May 27 2015 19:23:47: %ASA-2-711006: CPU profiling has started for 1000 samples. Reason: CPU utilization passed 40%. <---- 収集開始のログメッセージ asa(config)# show cpu CPU utilization for 5 seconds = 40%; 1 minute: 15%; 5 minutes: 31% asa(config)# show cpu profile CPU profiling started: 19:23:03.071 JST Wed May 27 2015 <---- 収集開始時間 CPU profiling currently in progress: Core 0: 491 out of 1000 samples collected. <---- 収集中 CP: 257 out of 1000 samples collected. <---- 収集中 Use "show cpu profile dump" to see the results after it is complete or to interrupt profiling and display the incomplete results. asa(config)#
CPU Profile サンプルの収集状況の確認
"show cpu profile"コマンドで収集状況を確認できます。収集対象が全てDoneになれば完了です。収集時間の目安としては、ASA5506 9.4(1)で、CPU負荷40%程度で、1000個のサンプルの収集に要した時間は、1分以下でした。
##収集開始した直後## asa(config)# show cpu profile CPU profiling started: 19:23:03.071 JST Wed May 27 2015 CPU profiling currently in progress: Core 0: 491 out of 1000 samples collected. <---- 収集中 CP: 257 out of 1000 samples collected. <---- 収集中 Use "show cpu profile dump" to see the results after it is complete or to interrupt profiling and display the incomplete results. ##収集完了後## asa(config)# show cpu profile CPU profiling started: 19:23:03.071 JST Wed May 27 2015 CPU Profiling has stopped. Core 0 done with 1000 samples <---- 収集完了 CP done with 1000 samples <---- 収集完了 Use "show cpu profile dump" to see the results.
CPU Profile 収集結果の出力
"show cpu profile dump"コマンド出力の全てを 任意メモ帳にペーストし、Cisco TACに ご送付をお願いします。
asa(config)# show cpu profile dump
Cisco Adaptive Security Appliance Software Version 9.4(1)
Hardware: ASA5506
CPU profiling started: 19:23:03.071 JST Wed May 27 2015
No CPU profiling process specified.
CPU profiling trigger: cpu-usage 40
cores: 1
Process virtual address map:
---------------------------
00400000-03603000 r-xp 00000000 00:01 3989 /asa/bin/lina
03803000-042d1000 rwxp 03203000 00:01 3989 /asa/bin/lina
042d1000-07e14000 rwxp 00000000 00:00 0 [heap]
36dfa00000-36dfa20000 r-xp 00000000 00:01 237 /lib64/ld-2.18.so
36dfc20000-36dfc21000 r-xp 00020000 00:01 237 /lib64/ld-2.18.so
36dfc21000-36dfc22000 rwxp 00021000 00:01 237 /lib64/ld-2.18.so
36dfc22000-36dfc23000 rwxp 00000000 00:00 0
36dfe00000-36dffa5000 r-xp 00000000 00:01 157 /lib64/libc-2.18.so
36dffa5000-36e01a4000 ---p 001a5000 00:01 157 /lib64/libc-2.18.so
36e01a4000-36e01a8000 r-xp 001a4000 00:01 157 /lib64/libc-2.18.so
36e01a8000-36e01aa000 rwxp 001a8000 00:01 157 /lib64/libc-2.18.so
--- 略 ---
7ffff7ffd000-7ffff7fff000 r-xp 00000000 00:00 0 [vdso]
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
---------------------------
End of process map
Samples for core 0 - stopped
{0x00000036e020d5da,0x00000000017148c0} {0x00000000028110e5,0x0000000000721a3d} {0x00000000006f4785,0x0000000002811307}
{0x00000000004387a6,0x0000000000721a8d} {0x0000000002819bc7,0x00000000028167c0} {0x00000000028111fc,0x0000000000721a3d}
{0x00000000010abef4,0x0000000000ee5c5f} {0x0000000002815ecf,0x0000000002817303} {0x00000000006bb545,0x00000000006bb23b}
--- 略 ---
{0x0000000002347836,0x000000000044de15} {0x000000000082d337,0x000000000044f83b} {0x000000000082cbfc,0x000000000044f83b}
{0x00000036dfec0e67,0x000000000044f779} {0x00000000019fe29b,0x000000000044f332} {0x00000000019fe247,0x000000000044f332}
{0x0000000000424d7b,0x000000000044f83b}
End of samples
asa(config)#
作業完了後は、"clear cpu profile"コマンドで、CPU Profileを削除してください。
asa(config)# clear cpu profile asa(config)# show cpu profile No profiling data.
その他、CPU高負荷時の調査に有用なコマンド
上記のCPU Profileのアウトプットに加え、以下コマンドの取得も合わせ検討ください。TACの調査効率の向上につながります。各カウンタの比較分析のために、CPU高負荷事象の発生時に、任意の定間隔(10分毎など)に、数回 (3回以上) 取得してください。
|
!--- 共通取得ログ show asp load-balance detail show asp table socket show tech show clock
!--- Connection数が膨大な場合 --- |
※show techに含まれるshow run出力量の多い環境では、
show techの代わりに、show tech no-configの取得でも構いません
show tech no-config利用時は、ログ取得作業の最後に show runを取得してください
以下は上記コマンドの出力例の一部です。
asa(config)# show clock 20:04:55.750 JST Wed May 27 2015 asa(config)# show cpu core Core 5 sec 1 min 5 min Core 0 45.6% 44.2% 43.6% asa(config)# show cpu detail Break down of per-core data path versus control point cpu usage: Core 5 sec 1 min 5 min Core 0 45.4 (45.2 + 0.2) 44.1 (44.0 + 0.1) 43.6 (43.3 + 0.1) Current control point elapsed versus the maximum control point elapsed for: 5 seconds = 29.2%; 1 minute: 29.1%; 5 minutes: 29.5% CPU utilization of external processes for: 5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0% Total CPU utilization for: 5 seconds = 45.6%; 1 minute: 44.2%; 5 minutes: 43.7% asa(config)# show processes cpu-usage sorted non-zero PC Thread 5Sec 1Min 5Min Process - - 45.4% 44.1% 43.4% DATAPATH-0-1562 0x00000000019bd596 0x00007fffec6059e0 0.1% 0.0% 0.0% telnet/ci asa(config)# show asp drop Frame drop: Invalid encapsulation (invalid-encap) 27889 No valid adjacency (no-adjacency) 12 No route to host (no-route) 53320 Reverse-path verify failed (rpf-violated) 119 Flow is denied by configured rule (acl-drop) 6545383 First TCP packet not SYN (tcp-not-syn) 10550 TCP failed 3 way handshake (tcp-3whs-failed) 827 TCP RST/FIN out of order (tcp-rstfin-ooo) 18740 TCP packet SEQ past window (tcp-seq-past-win) 422 TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 2 TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 3 TCP RST/SYN in window (tcp-rst-syn-in-win) 117 TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 3 TCP packet failed PAWS test (tcp-paws-fail) 332 Slowpath security checks failed (sp-security-failed) 7582042 Expired flow (flow-expired) 216 ICMP Inspect bad icmp code (inspect-icmp-bad-code) 8 DNS Inspect invalid packet (inspect-dns-invalid-pak) 11 SFR Module requested drop (sfr-request) 291 FP L2 rule drop (l2_acl) 10502933 Interface is down (interface-down) 2 RM connection limit reached (rm-conn-limit) 77725 Dropped pending packets in a closed socket (np-socket-closed) 492 NAT failed (nat-xlate-failed) 1430272 Last clearing: Never Flow drop: Inspection failure (inspect-fail) 990 SSL bad record detected (ssl-bad-record-detect) 1 SSL handshake failed (ssl-handshake-failed) 32 Last clearing: Never asa(config)# show asp event dp-cp DP-CP EVENT QUEUE QUEUE-LEN HIGH-WATER Punt Event Queue 0 47 Routing Event Queue 0 0 Identity-Traffic Event Queue 0 2 General Event Queue 0 8192 Syslog Event Queue 0 8192 Non-Blocking Event Queue 0 2 Midpath High Event Queue 0 4 Midpath Norm Event Queue 1 6 Crypto Event Queue 0 160 HA Event Queue 0 0 Threat-Detection Event Queue 0 4 SCP Event Queue 0 0 ARP Event Queue 0 174 IDFW Event Queue 0 0 CXSC Event Queue 0 0 EVENT-TYPE ALLOC ALLOC-FAIL ENQUEUED ENQ-FAIL RETIRED 15SEC-RATE punt 21376 0 21376 0 21376 0 inspect-ftp 2451 0 2451 0 2451 0 inspect-h323 17 0 17 0 17 0 inspect-netbi 18892 0 18892 0 18892 0 inspect-sunrp 5 0 5 0 5 0 inspect-tftp 6 0 6 0 6 0 inspect-xdmcp 5 0 5 0 5 0 drop-flow 0 0 4120 0 4120 0 midpath-high 369 0 369 0 369 0 midpath-norm 685462 0 685462 0 685462 1 crypto-msg 955 0 955 0 955 0 adj-absent 566486 0 566486 0 566486 0 arp-in 1217843 0 1217843 0 1217843 1 identity-traffic 7523 0 7523 0 7523 0 syslog 3083486 0 3077831 5655 3083486 18 scheduler 9 0 9 0 9 0 threat-detection 18362 0 18362 0 18362 0 ips-cplane 172247 0 172247 0 172247 0 asa(config)# show xlate count 14 in use, 65553 most used asa(config)# show conn count 19 in use, 50001 most used asa(config)# show resource usage summary count all 0 Resource Current Peak Limit Denied Context Telnet 1 2 5 0 System SSH Client 0 0 5 0 System SSH Server 0 0 5 0 System ASDM 0 2 30 0 System IPSec 0 0 5 0 System Syslogs [rate] 0 31047 N/A 0 System Conns 19 50001 50000 77731 System Xlates 14 65553 N/A 0 System Hosts 14 65519 N/A 0 System Conns [rate] 0 13607 N/A 0 System Inspects [rate] 0 80 N/A 0 System Mac-addresses 0 0 16384 0 System Routes 5 5 unlimited 0 System Other VPN Sessions 0 0 50 0 System Other VPN Burst 0 0 50 0 System IKEv1 in-negotiation 0 0 unlimited 0 System asa(config)# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 416710, lock fail 0, drop 11, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: ftp, packet 2628, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: h323 h225 _default_h323_map, packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: h323 ras _default_h323_map, packet 22, lock fail 0, drop 22, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: rsh, packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: rtsp, packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: esmtp _default_esmtp_map, packet 6, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: sqlnet, packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: skinny , packet 2, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: sunrpc, packet 7, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 Inspect: xdmcp, packet 5, lock fail 0, drop 5, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: sip , packet 20643, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 tcp-proxy: bytes in buffer 0, bytes dropped 1126 Inspect: netbios, packet 51791, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: tftp, packet 6, lock fail 0, drop 4, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Inspect: icmp, packet 91431, lock fail 0, drop 8, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 Class-map: ANY SFR: card status Up, mode fail-open packet input 88891792, packet output 88892722, drop 36, reset-drop 255 asa(config)# show perfmon detail PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 0/s 0/s TCP Intercept Established Conns 0/s 0/s TCP Intercept Attempts 0/s 0/s TCP Embryonic Conns Timeout 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s VALID CONNS RATE in TCP INTERCEPT: Current Average N/A 100.00% SETUP RATES: Connections for 1 minute = 0/s; 5 minutes = 0/s TCP Conns for 1 minute = 0/s; 5 minutes = 0/s UDP Conns for 1 minute = 0/s; 5 minutes = 0/s asa(config)# show fragment Interface: outside Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Interface: inside Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 Interface: management Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Queue: 0, Assembled: 0, Fail: 0, Overflow: 0 asa(config)# show arp statis Number of ARP entries in ASA: 10 Dropped blocks in ARP: 579146 Maximum Queued blocks: 22 Queued blocks: 0 Interface collision ARPs Received: 0 ARP-defense Gratuitous ARPS sent: 0 Total ARP retries: 105630 Unresolved hosts: 0 Maximum Unresolved hosts: 3 asa(config)# show logging queue Logging Queue length limit : 512 msg(s) 299930 msg(s) discarded due to queue overflow 0 msg(s) discarded due to memory allocation failure Current 0 msg on queue, 512 msgs most on queue
参考情報
Cisco ASA Series Command Reference : cpu profile activate
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2176580
ASA: show processes cpu-usage を用いた CPU負荷の調査
https://supportforums.cisco.com/ja/document/12545811
ファイアウォール トラブルシューティング
https://community.cisco.com/t5/-/-/ta-p/3161736
Firepower System and FTDトラブルシューティング
https://community.cisco.com/t5/-/-/ta-p/3161733
ラベル:
