High DP CPU Load on PA2050 Active-Active Pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

High DP CPU Load on PA2050 Active-Active Pair

L2 Linker

I'm experiencing frequent DP CPU spikes of 100% and averages between 80-95% on a PA-2050 Active Active deployment running 5.0.5. 

Our configuration is fairly simply with 2 vWire's per box for 2 security zones with async routing between the trust and untrust zones.  We have only 5 security policies, with AV, spyware and vulnerability protection security profiles only. These profiles simply "allow" low/info/medium traffic and alert for high/critical and that's about it and a little bit of syslog.  No VPN, no USER-ID, no global protect etc.. etc...

However at peak times with around 75-90Mbps of throughput and ~96k sessions reported per PA-2050 we hit 90-100% CPU.


Has anyone else experienced this sort of issue on a PA-2050 as the throughput numbers and session count are below the stated capability for the platform as below or is that simply too optimistic?



PA-2050

  • 1 Gbps firewall throughput (App-ID enabled1)
  • 500 Mbps threat prevention throughput
  • 300 Mbps IPSec VPN throughput
  • 250,000 max sessionsdata
  • 15,000 new sessions per second
  • 2,000 IPSec VPN tunnels/tunnel interfaces
  • 1,000 SSL VPN Users
  • 10 virtual routers
  • 1/6* virtual systems (base/max2)
  • 40 security zones
  • 5,000 max number of policies
3 REPLIES 3

L7 Applicator

Hi,

Could you please provide below mentioned information.

admin@PA-500> show running resource-monitor   >>>>>>>>>>>>>>> current as well as previous CPU history

admin@PA-500> debug dataplane pool statistics >>>>>>>>>>>>>> available/Utilize pools

admin@PA-500> show running logging  >>>>>>>>>>>>>>>>> logging rate of this firewall

admin@PA-500>show counter global filter delta yes packet-filter yes >>>>>>>>>>>>>>>> apply this command and verify below mentioned parameter

If any of them is high.


Packet rate

IP TTL

ZIP processing

Logging rate

Packets queued for FPGA

Thanks

Subhankar

Thanks for the Reply,

See attached files:

“PA-2050-1 - show running resource-monitor at time of high CPU.txt” – this was taken at the time of high CPU yesterday.

All the remaining attachments were captured this morning, however all threat protection policies and logging are disabled to avoid having to physically bypass the Firewalls, so the rest of the attachments are after threat and logging were turned off. 

I’ve not posed the stats from the 2nd PA-2050 as they are fairly similar to the Active-Primary one.  

L2 Linker

Just a quick update to say the issue is logged with PA TAC their initial investigation is pointing towards a suspected bug.

  • 2998 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!