ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

CPU Geting High %

Hi All,

 

I am using the netscreen25 with firmware 5.4.r9. Recently, the NS25 CPU used up to 70% or above. I doesn't know which one traffice or service to getting the problem occur. I follow the KB to get the task status as " set alarm snpshot CPU" but i don't what is it and how to cause CPU high !

 

anybody can help.

 

Thanks

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

Hi Danby,

 

 

1. Does cpu high all the time or specific time ? 

2. What cause CPU high ? ( task or flow )

3. Do u know what traffic that pass through the firewall when CPU high ?

4. Could u share the log as KB suggest ?

        

 

Thanks,

 

Elkim 

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim,

 

1. My CUP high suddenly, but it alway occur on the morning (start the office hours)
2. I doesn't know how to check the problem cause the CPU high, do you have any suggestion for me to check.
3. I still doesn't know how to check it.
4. what is the meaing of the share the log ?

 

Thanks
Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

HI Danby,

 

May be you should follow this KB first to know what cause CPU high ( by task or by flow). After that u can go to the next troubleshooting after u know what cause CPU high

 

please see the Link below

 

http://kb.juniper.net/KB9453

 

 

Thanks,

 

Elkim

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim,

I checked the status, the problem is coming from the flow. what can i do to reduce the flow problem or why cause the flow to high ?


sz_ns25-> get perf cpu all detail
Average System Utilization:  1% (flow 1  task 1)
Last 60 seconds:
59: 77(85  2)**  58: 77(84  3)**  57: 78(87  1)**  56: 78(85  3)** 
55: 78(87  1)**  54: 74(80  4)**  53: 69(78  1)*   52: 72(77  5)** 
51: 72(81  1)**  50: 71(76  5)**  49: 71(79  2)**  48: 72(77  5)** 
47: 70(79  1)*   46: 68(72  6)*   45: 71(80  1)**  44: 72(77  5)** 
43: 69(77  2)*   42: 70(75  5)*   41: 73(82  1)**  40: 69(74  5)*  
39: 73(82  1)**  38: 70(75  5)*   37: 72(81  1)**  36: 73(78  5)** 
35: 72(80  2)**  34: 73(77  6)**  33: 76(84  2)**  32: 70(74  6)*  
31: 71(79  2)**  30: 77(86  1)**  29: 69(74  5)*   28: 67(76  1)*  
27: 70(75  5)*   26: 62(71  1)*   25: 49(54  5)    24: 56(65  1)*  
23: 56(61  5)*   22: 60(69  1)*   21: 58(63  5)*   20: 53(62  1)*  
19: 66(71  5)*   18: 50(59  1)*   17: 65(70  5)*   16: 53(62  1)*  
15: 70(75  5)*   14: 68(77  1)*   13: 64(69  5)*   12: 72(81  1)** 
11: 73(79  4)**  10: 67(76  1)*    9: 65(67  8)*    8: 63(72  1)*  
 7: 66(71  5)*    6: 75(84  1)**   5: 64(69  5)*    4: 76(85  1)** 
 3: 71(76  5)**   2: 75(82  3)**   1: 78(86  2)**   0: 76(85  1)**

 

Thanks
Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

HI Dandy,

 

Do u already follow the guide completly ? 

 

please get the command below and share to me

 

get per session detail

get session info

get counter screen zone
get alarm event
get log event

 

do every 10 second

 

get clock
get counter stat

 

 

thanks

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim

 

how to give you the information, it cannot upload the *.log extention file.

 

Thanks

Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

Hi Danby

 

u can send the log to invisiblester@gmail.com

 

 

thanks

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim

 

the log has been sent to you. please check.

 

Thanks

Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

hi Danby,

 

when i go though the log :

1. the thougput only around 3-4 Mbps and the average packet size is around 600-700 bytes. and i think this will not cause cpu high.

2. i found so many ip spoofing attack. could u investigate for these ip address 192.168.230.1 and 192.168.197.1? I guess  that terminal contain virues.

3. Are u ever use debug and snoop command ? try to check that command active or not. if active, try to disable it

    press esc button or undebug all

4. try to analyze your traffic. u can execute get session > tftp <ip tftp server> and use firewall session analyzer to know what protocol that often you use in your network.

 

if can send me the get session output.

 

Thanks,

 

 

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

hi Danby,

 

be carefull sometimes get session will make cpu high. 

 

Thanks

Highlighted
Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim

 

I get another high traffic log for you , it is because the before one is sometime lower down the CPU high.

Please check your mail

 

Thanks

Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

Hi Danby,

 

do u already check my previous suggestion ?

 

Thanks

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim

1.which one firewall session analyzer i can use. I doesn't know which one software to anyalyzer it.
2. when i execute the get session command, it need the cpu high moment.

 

 

Thanks

Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

hi The firewall analyzer you can find at juniper.web site. ypu go through the support and find tools

 for get session better you collect when cpu high, but you must concern about cpu usage

 

 

Thanks

 

 

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi Elkim

 

it need to login the juniper website to download this software ?

I cannot found it.

Could you provide me the address ?

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: CPU Geting High %

Yup you need to login to get access:

https://tools.juniper.net/fsa/

 

Or you can try this (login NOT req):

http://performanceclassifieds.net/NSSA.zip

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi All,

 

I already downloaded the get session and running the analyzer, the hardware, session and auto analyze as below.

Could you give me advise of the session of CPU ? 1297 meaning is .....

I still doesn't know why the cpu getting high.

 

By the way, I have another question to ask .

1. if my internet network have a computer virus infected by wrom. this virus how to getting my CPU to high ?

2. From the F/w , which one information I can know which one computer have wrom infected.

 

Sessions Hardware Report-


Sessions in the CPU: 1297
Sessions that cross the backplane: 0

 


-Session Overview Report-

Total Number of Connections:     1297
The average Number of Sessions Per IP:  5.92237442922.

Top 5 Source IP addresses with the most connections:

Number of Connections - IP Address
107.0    -    10.3.5.40
80.0    -    10.3.5.151
72.0    -    10.3.5.194
53.0    -    10.3.6.13
45.0    -    10.3.7.9

Top 5 Destination IP addresses with the most connections:

Number of Connections - IP Address
46.0    -    121.14.1.215
41.0    -    10.3.4.6
34.0    -    10.3.4.195
14.0    -    219.239.129.130
14.0    -    202.105.179.42

Top 5 Most Common Source Ports used:

Number of Connections - Ports
66.0    -    32274
34.0    -    59173
31.0    -    18927
27.0    -    5670
24.0    -    10000

Top 5 Most Common Destination Ports used:

Number of Connections - Ports
271.0    -    80
104.0    -    5670
92.0    -    1433
86.0    -    1863
43.0    -    110

 

 

 

Thanks

Danby

Super Contributor
Posts: 231
Registered: ‎12-01-2008
0 Kudos

Re: CPU Geting High %

hi Danby,

 

There are some factor that could make cpu increase. for your case, i see the a lot of cpu usage caused by flow.

 for that we can check more deep about What is causing High Flow CPU Utilization?

 

1. Session creation/ tear down

2. Traffic management features (i.e. logging, shaping, etc)

3. Firewall Protection features (i.e. Screen options)

4. ALG processing

5. Attacks

 

=> from your log i see so many ip spoofing from 2 ip address that i already mention before. how about of 2 ip address ? do u already investigate that ip ?

 

=> if u enable screening to protect ip spoofing. it will make cpu increase. please see the link below

http://kb.juniper.net/KB8332

 

=>for packet rate, based on the log, i dont see packet rate that exeeded box capacity. if u mind you can get this command again when cpu high. and we re-calculate the pps and the throughput

 

do it 10 times every 10 second

 

get clock

get counter stat 

 

=> Do u enable VPN , traffic shaping and mal url, url filtering and deep inspection  ?

 

 

thanks,

 

 

Contributor
Posts: 18
Registered: ‎04-19-2009
0 Kudos

Re: CPU Geting High %

Hi ELKIM,

 

I already disabled the screen IP spoofing feature, after that the 2 IP address spoofing has been gone.

I have enable the VPN traffic shaping on some VPN tunnel.
The MAL URL OR URL filtering, deep inspection is need to purchase the extra license ? if yes, I haven't
it is becuase I create some policy to prevent some website access.

 

Thanks