08-28-2017 02:31 AM
Hello all.
We use pa-3020.
PanOS 7.1.5
1, session 43%
2,CPU 100%
Why CPU 100% used?
Normaly, 500Mbps use.
BUG??
I get show tech messages.
:
:Resource monitoring sampling data (per second):
:
:CPU load sampling by group:
:flow_lookup : 95%
:flow_fastpath : 91%
:flow_slowpath : 95%
:flow_forwarding : 95%
:flow_mgmt : 73%
:flow_ctrl : 73%
:nac_result : 95%
:flow_np : 91%
:dfa_result : 95%
:module_internal : 95%
:aho_result : 95%
:zip_result : 95%
:pktlog_forwarding : 96%
:lwm : 0%
:flow_host : 73%
:
:Resource utilization (%) during last 15 seconds:
:session:
: 42 43 43 43 43 43 43 43 43 43 43 43 43 43 43
:
:packet buffer:
: 2 1 2 1 1 1 9 3 3 2 2 1 1 1 3
:
:packet descriptor:
: 16 16 16 15 16 15 17 16 16 15 16 15 16 15 16
:
:packet descriptor (on-chip):
: 6 6 12 5 2 5 27 9 9 6 23 6 2 2 8
Total num processes: 15
Name PID CPU% FDs Open Virt Mem Res Mem State
all_pktproc_4 1221 100 5 51096 9432 R
monitor 1223 0 10 53340 13132 R
dha 1185 0 7 50968 8100 S
all_pktproc_3 1219 100 5 51228 9520 R
flow_mgmt 1222 98 5 51068 9124 R
mprelay 1183 0 8 51048 8320 S
pktproc_n_log 1218 100 5 70896 29072 R
bfd 1186 0 10 51680 8768 S
comm 1184 0 19 560112 69492 S
sysdagent 1164 0 6 520468 4764 S
ntp 1235 0 8 76260 2712 S
ehmon 1165 0 5 29368 4496 S
masterd 1120 0 18 201060 14948 S
all_pktproc_2 1220 100 5 51096 9428 R
brdagent 1161 0 9 440736 8436 S
syslogd 1126 0 4 3396 988 S
Thanks.
08-28-2017 03:02 AM
Hi,
As you know, CPU usage depend of nobre of session but more than that, depend of:
- nbre of session open / close per second
- packet size
- and more ..
Mean you can have only few session but if they are very short, with smal packet, is more CPU intensive than huge nombre of session with large packet and long duration in time.
If you want to optimize CPU utilisation,
1- check which traffic create this high CPU usage
2- Try to create App overide
3- optimize security profile and logging feature
Hope help.
V.
08-28-2017 03:02 AM
Hi,
As you know, CPU usage depend of nobre of session but more than that, depend of:
- nbre of session open / close per second
- packet size
- and more ..
Mean you can have only few session but if they are very short, with smal packet, is more CPU intensive than huge nombre of session with large packet and long duration in time.
If you want to optimize CPU utilisation,
1- check which traffic create this high CPU usage
2- Try to create App overide
3- optimize security profile and logging feature
Hope help.
V.
08-28-2017 07:09 AM
It appears simply processing your traffic is pegging the CPU. Without additiional informaiton it's really impossible to say what exactly is causing it and what could help you decrease the percentage. @VinceM already gave some great advice, I would add that unless your CPU is staying pegged you could have just been hit with more traffic. Just because your session utilization is low doesn't mean your pps isn't high or the packet size isn't an issue. If this stayed pegged then I would look into it a little more.
08-30-2017 10:30 PM
Thankyou!
We use meny web-based protocol, but be judged "unknown_tcp" .
I will investigate.
09-01-2017 07:09 AM
High amount of unknown-udp or unknown-tcp is main reason for high dataplane cpu as firewall has to use heuristics.
If this is in-house application then create custom app-id or use application override rules.
If this is general application then ask Palo to create app-id on their side.
If you see unknown-tcp in your users accessing regular internet then this is suspicious.
From ACC identify top user with unknown-tcp traffic and identify what application is causing it.
09-03-2017 08:45 PM
Thank you.
I found messages unknown-tcp and incomplete.
I will be some over-ride settings and more.
09-21-2017 06:44 PM
It solved it.
Thanks for your advices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
