- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-12-2014 02:11 PM
Hi,
I have PA-2020 and 160 rules. Management plane is slow in responding. Management CPU is often 98%. Commiting changes takes 10 minutes. From time to time first commit fails with error "Management server failed to send phase 1 to client websrvr". What is going wrong? Too many rules affect performance?
Thanks,
Radoslaw
02-12-2014 04:06 PM
Hello Radoslaw,
I dont think you have too many policy on this firewall. The Max numbers are given below:
admin@21-PA-2020> show system state | match policy
cfg.general.max-cp-policy-rule: 1000
cfg.general.max-di-nat-policy-rule: 6000
cfg.general.max-dip-nat-policy-rule: 200
cfg.general.max-dos-policy-rule: 1000
cfg.general.max-nat-policy-rule: 1000
cfg.general.max-oride-policy-rule: 1000
cfg.general.max-pbf-policy-rule: 500
cfg.general.max-policy-rule: 10000
cfg.general.max-qos-policy-rule: 1000
cfg.general.max-si-nat-policy-rule: 1000
cfg.general.max-ssl-policy-rule: 1000
Do you have custom signature/custom URL filtering configured on this firewall, It could take longer commit time than expected.
I would request you to verify the management plane resources of this PA-2020 firewall with below mentioned command:
> show system resources follow ------- Please verify if management server or any other daemon taking much CPU cycle or memory.
For the time being you can apply CLI command:
> debug software restart management-server ----- It will reset the management-server process and it would not impact to your production traffic ( you will lost the SSH connection to the management-plane for few minute). I hope it will improve the commit time or response time.
Thanks
02-12-2014 04:06 PM
You will need to run show system resources and try to determine which process is responsible for the high cpu in the management plane.
Refer to this document for an overview.
https://live.paloaltonetworks.com/docs/DOC-4649
03-14-2014 04:54 AM
This is related to a lack of resources for the mgmt plane. There is an upgrade kit available if needed.
This can be caused by a lot of things, a lot of User-ID that needs to be done, or even a lot of logging. If you have a few k of logs every minute then you'll notice slowness in the gui and high cpu, since it is the mgmt plane that handles all the logging.
Kind regards
03-19-2014 01:37 AM
As far as I've been told, PA does not offer an upgrade kit for the 2000 series...
This issue is also being discussed in https://live.paloaltonetworks.com/thread/10099
03-19-2014 01:53 AM
My bad, there is indeed only an upgrade kit for the PA-500 available
03-19-2014 08:08 AM
The PA2000 series is a joke and everyone that bought PA2000s should have their gear automatically replaced with either PA500s or PA3000s. In my humble opinion. The performance numbers on our PA2050 never hit published specs, ever, with extensive testing I did with breaking Point. With a Breaking Point engineer present.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!