PA2020 High CPU utilization "useridd" 100% management plane


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L2 Linker

5.x seems to require more management CPU utilization altogether than 4.x did. That shouldn't be surprising to anyone, given all the new features. We can hope that efficiency will improve as the 5.x code matures.

However, 5.0.2 (and 4.1.11) seem to have a very clear bug related to the User ID process consuming excessive resources.

L4 Transporter

Honestly I wish PA would slow down on the new features and beef up the stability/QA. It seems like we upgrade on support's advice to fix bugs and then after we upgrade we find other bugs... it's bug whack-a-mole.

L4 Transporter

Yes it doesn't get easier to recommend software versions for our customers.

Very disappointed that 4.1.11 seems to have the same bug, especially since they released that version some time after that this bug was known in 5.0.2.

/Jo Christian
L2 Linker

I was thinking the exact same thing. I'm pretty annoyed to be rolling a box back from 4.1.11 to 4.1.10 tonight _after_ I rolled it back from 5.0.2 to 4.1 a couple weeks ago.

L4 Transporter

It's time and time again for us with PA... I like the "distruptive startup" nature of the company and all the features packed into the boxes they sell (and the complete lack of dealing with the insane licensing scheme of Check Point), but these QA issues are making it hard for me to make a case with my management to move forward with handing off more load to the PA boxes we have, especially since the Check Point firewalls we have in production seem to just hum along and "just work."

We're "dipping our toe" into Palo Alto slowly, and honestly these "bug whack-a-mole" issues are causing us to reconsider our firewall strategy.

Don't even get me started on the GlobalProtect client...

L2 Linker

It is surely harder to get to get extremely high stability when dealing with some many things simultaneously, than it is just checking simply ACLs, That PAN has been able to do what it does so effectively is impressive now matter how you look at it.  I continue to be very very impressed with the product (of course as a partner I am biased I suppose), and wouldn't recommend anything else given the current threat landscape, but I will be taking a less aggressive approach to updating firmware for a while. I tend to try and keep on the current release under the idea that I _should_ be keeping my bug exposure down. I pushed our various boxes up through all the 4.1.x releases with no ill effects and was lulled into overconfidence I suppose. I suspect most people in these forums would say "what do you expect running the very latest release"...

L4 Transporter

We're sticking with 4.1 on a pair of our PA devices and we're still running into bugs. Not trivial stuff either... things like PA's implementation of DHCP doesn't work correctly (ticket open for a month and a half), GlobalProtect doesn't work correctly/crashes/throws errors (client and gateway)

We've got a ticket that's been open for two months for User-ID mapping not working correctly (on 4.1 code), where we basically can't use the 'user' column in our rulebase. That's a major feature that we can't take advantage of.

It's not "oh another customer is complaining and whining"... it's features that are advertised as working that weren't tested or that get broken by bugfixes.

I suppose your mileage may vary though.

L0 Member

Same issue here with 5.0.2 and PA 2050.

top - 07:57:29 up 25 days, 11:10,  1 user,  load average: 12.15, 11.85, 11.66

Tasks: 105 total,   2 running, 102 sleeping,   1 stopped,   0 zombie

Cpu(s): 32.3%us, 47.5%sy,  5.0%ni, 13.8%id,  0.8%wa,  0.1%hi,  0.4%si,  0.0%st

Mem:    995872k total,   964828k used,    31044k free,    20132k buffers

Swap:  2008084k total,   545768k used,  1462316k free,   535468k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND           

1796       20   0  212m  73m  64m S  174  7.5   8106:37 useridd

L4 Transporter

Hello again,

Seems like an hotfix is out for 4.1.11 to fix this problem.

You need to contact support to get it.

Jo Christian

/Jo Christian
Not applicable

It seems PA dismissed its QA team (maybe in favor of copyright lawyers) and customers are responsible for all the testing now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!