SRX Services Gateway
Reply
Contributor
Freddy
Posts: 83
Registered: ‎01-04-2009
0

SRX650 and high CPU usage

Hi,

 

I have a SRX650 cluster, it's running a few BGP-session (partial tables), some OSPF, about 11 security zones, 32 policys, 2-3 bandwidth policers, and sampling. The cluster is running 10.2R2.

 

During the night i see warning in my log for high CPU-usage, 93-97% usage. The traffic during this time is 150-200Mbps and 15-20Kpps.

 

Should'nt a SRX650 cope with more than this? Could it be my sampling that is causing the CPU to go so high?

 

Regards

Freddy

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: SRX650 and high CPU usage

The SRX650 should easily be able to cope with only 200mbps.

 

Which CPU usage is high, PFE or RE? If its the routing engine, first thing to look at would be bgp/ospf updates, if its PFE then my first guess would be the sampling as well.

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX650 and high CPU usage

Aggressive sampling can put quite a load on the system.  The other thing that comes to mind is using NSM for logging as it can result in higher CPU usage.  The best option for both, in my opinon, is to export syslog to a server, such as STRM/QRadar or Splunk and poll system usage via SNMP.

 

mawr

Contributor
Freddy
Posts: 83
Registered: ‎01-04-2009
0

Re: SRX650 and high CPU usage

I have disabled sampling and will have to see tonight if the CPU warnings are gone.

 

Currently my sampling-rate is 1, what do others use? SNMP don't give me the same accuracy.

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX650 and high CPU usage

Syslog messages contain a healthy amount of information to parse.  Here is an example of a structured message:

 

RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="TCP FIN" source-address="192.168.1.200" source-port="3968" destination-address="208.111.156.196" destination-port="80" service-name="junos-http" nat-source-address="216.114.217.242" nat-source-port="19623" nat-destination-address="208.111.156.196" nat-destination-port="80" src-nat-rule-name="trust-source-nat-rule" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-http" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15356" packets-from-client="15" bytes-from-client="3386" packets-from-server="23" bytes-from-server="7331" elapsed-time="12"]

 

mawr

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: SRX650 and high CPU usage

Sampling rate 1 means you are essentially sampling every packet. This is too much. Should consider increasing the rate to something more reasonable like 100 or more.

 

-Richard

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX650 and high CPU usage

Check out Pato's first reply in this thread.  It may help differentiate Jflow and Syslog for traffic reporting on SRX and J-series devices.

 

mawr

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.