Management CPU is 100%

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Management CPU is 100%

Not applicable

Hi Guys,

We are having an issue with the Palo Alto 2050 running OS 5.0.2. Earlier it happens when we do a commit or generating some reports. Then we cleared the all logs and update to 5.0.2 and now the Management CPU is always 100% even though we didn't do anything. Is this is a bug in 5.0.2 and does the next version 5.0.3 will fix this. Please help me on this as we are really worried about this.


Paul Mathew

Network Engineer

American School of Dubai


Accepted Solutions

L6 Presenter

Yes it is fixed.Upgrade to 5.0.3 or 5.0.4

View solution in original post


L6 Presenter

Yes it is fixed.Upgrade to 5.0.3 or 5.0.4

Not applicable

Thanks man will try this out.

That's correct. Bug ID 47948: User-ID process constantly running on very high CPU utilization reaching over 100% thus causing high MP CPU. Fixed in 5.0.3

Fixed in 4.1.12 as well as far as I'm aware for those still on that code base... still waiting on its release though.


Please request 4.1.11-h1 as this hotfix is available for the bug in question.

Not applicable

Rkalugdan you are right the 5.0.3 has a fix and that upgrade solve the issue. Thanks for all your help on this.

L1 Bithead

I'm not meaning to bash, but my 2050s have been running slow ever since moving off of 3.1.8 . I'm on 4.1.11 at this moment (the move to 4.0 was a disaster), but all upgrades between have been getting slower and slower performance. Logging in takes minutes, switching tabs take just as long, forget committing unless you have 20 minutes to spare. My question is are these "upgrades and updates" being thoroughly tested before being pushed out? I really do mean this because it seems that actualy user functionality has dramatically decreased even though we have a ton of new "features". Look at how many more updates and hot fixes come out compared to the older versions. Both of my 2050s work at the speed of boat anchors and it has my bosses furious. I really like the palo alto products and what they do for us, I wouldn't want another solution, I just feel like these updates aren't being thoroughly tested on the devices they are being used for. I feel that for the $$ these boxes cost they would be a bit more useable.

Dude, you're preaching to the converted here - several others have asked the same question, and we all agree - the QA process PAN has been following in recent releases sucks.

I agree with you - the 3.1.x releases were way faster and had less bugs than the 4.x, but what can you do?

... vote with your budget... change firewall vendors. Sad but true. Where I currently work, the Palo Alto QA missteps we have seen are causing us to seriously reevaluate our firewall strategy.

rk - we're waiting for the DHCP NACK fix to be backported before we upgrade to 4.1.11 or 4.1.12... we're waiting on 4.1.13 (assuming the DHCP fix makes it in) before we do the upgrade.

L1 Bithead

I upgraded our failover 2050 to 4.1.12 this morning and the update appears to have solved the "sitting at 100%" problem. My management cpu is bouncing between 60 and 65% which is still high in my opinion, especially just for logging in, but I have noticed improved navigation speed.

Palo Alto Networks Guru


   I am very sorry to hear that you have had issues with the 2000 series management plane performance.  We have definitely grown our feature set and as we grow our feature set we have grown our QA and testing infrastructure.  We are continually working to improve our testing methodology and process. 

    That said, unfortunately, you currently have the our slowest management plane firewalls.  The 2000 series firewalls were designed years ago and we have heard the complaint about management performance.  We have been working hard on the software side to improve the commit time and navigation of the user interface.  The 5.0 release had many of these improvements, but to see major differences the hardware needed to get some horsepower.  The 3000 series mid range firewalls have approximately 400% more RAM and CPU performance as the 2000.  We are seeing commit times go down from many minutes to less than a minute.  The overall management experience is much improved. 

   I know that not everyone can upgrade the hardware because of budgets, but before you change vendors, please know that we are listening and working on solutions to your issues.  I continue to put a major effort into improving and optimizing the software.  However, if it is a possible for your organization, please evaluate one of our 3000 series.  I think you will find that we are making strides on the management performance side.  Thank you

Also check with the supplier if a discount is possible for replacement of your 2000 boxes?

That is so you wont have to pay the full price of a new pair of 3000 boxes if you return the 2000 boxes at the same time.

The 500 series has a ram upgrade available (which lowered the commit times with about 30% or so according to posts in this forum) which unfortunately doesnt seem to be possible for the 2000 series.

egearhart wrote:

... vote with your budget... change firewall vendors. Sad but true. Where I currently work, the Palo Alto QA missteps we have seen are causing us to seriously reevaluate our firewall strategy.

Trouble with that is finding another device which is as effective - the PAN filtering model is kinda like crack - one you've had it, it's damn hard to break the habit! 🙂

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!