PA2020 High CPU utilization "useridd" 100% management plane

Reply
Highlighted
L0 Member

I can get the management backplane to calm down a bit by restarting useridd via the following command:

debug software restart user-id

Unsure how long it takes for useridd to get angry again after that.

Highlighted
L4 Transporter

SimasK if I could moderate your post and mark it "+5 Insightful" I would :smileyhappy:

Highlighted
L4 Transporter

Well, you just answered my question - rolling back to 4.1.10 as I type.

Highlighted
L4 Transporter

> PA: How does this stuff get past the QA process?

More to the point - if it's a known issue which is being reported by lots of people, why do you have to log a fault to get access to the hotfix? Why doesn't PAN just release the hotfix for general distribution with a release note which specifies that it's only to fix the issue listed? This jumping through hoops to get fixes for known, impact-inducing bugs is extremely annoying.

And when I *did* log a case, the first thing I get back from the support partner is "We've escalated it to PAN for release of the hotfix, but why don't you update to 5.0.1 instead"?

Highlighted
L4 Transporter

And rolling back *again* after installing the "hotfix" 4.1.11-h1 because it bloody breaks the HA sync between my peers.

This is beyond a joke, Palo Alto. Does *nobody* QA these things in all possible environments before release?

Highlighted
Not applicable

Here's something of interest...

When using the USER-ID agent on our DC's, Management CPU was 80-100% all the time.

I've configured it now to agent-less, bumped my cache settings to 90 minutes (our users don't move around that much).

Management CPU is now between 20-40% and Dataplane at 15-25%

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

31971 root      20   0 12636 2536 2080 S    4  0.3   0:00.13 wmic

2361 root      20   0  346m 100m 2064 S    4 10.4  21:57.54 logrcvr

7033 root      20   0  238m  89m  63m S    1  9.2  47:50.18 useridd

31954 sfsadmin  20   0  4532 1176  912 R    1  0.1   0:00.14 top

31970 root      20   0  3832 1180 1040 S    1  0.1   0:00.02 sh

2108 root      15  -5 54416 4620 1080 S    0  0.5  23:00.03 sysd

2117 root      30  10 39884 3680 1720 S    0  0.4   3:02.84 python

    1 root      20   0  1836  560  536 S    0  0.1   0:02.25 init

Highlighted
L4 Transporter

This is on version 4, or version 5?

I'm holding off on upgrading to V5 from past experience with Palo Alto's .0 release history! I won't upgrade to it until I hear from the learned denizens of these august forums that it appears stable.

Highlighted
Not applicable

OS Version 5.0.2 on a 2050 PA in Active/Passive HA mode.

Highlighted
Not applicable

The issue seems to be isolated with the 5.0.2 code. People above have gone to 5.0.1, but there are other issues with that build.

Highlighted
L4 Transporter

No, it's definitely present in 4.1.11 (and the supposed "hotfix" 4.1.11-h1 breaks other things) - and as far as I'm aware you can't do agent-less userID on v4.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!