ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0
Accepted Solution

FTP traffic Cause CPU High

Hi All,

 

i have a problem with my Ns208.  When FTP transfer Occured CPU goes high ( can reach 80 %). but after FTP transfer finish. CPU in normal state.

 

and from JTAC pre-analysis the problem caused by box capacity which total throuput at that time is 100 Mbps and average packet size is less that 200 byte.

 

i try to replicate this problem in my lab using NS25 and deploy transparent mode after that i inject ftp traffic 8gb rar file. when ftp occured cpu also goes high.  i also replicate this issue using l3 mode. and cpu also increase but not high as we deploy L2 mode.

 

is it any different behavior related to FTP traffic when we deploy firewall as L2 and L3 mode. btw could we setting the packet size of the data ?

 

 

Thanks

 

ELkim

Super Contributor
Posts: 240
Registered: ‎08-19-2008

Re: FTP traffic Cause CPU High

Hi

 

i think its isen't very different betwenn L2 & L3 regarding traffic, usully the l2 is deployed when the administrator need to implementing FW without any change thier setting or network infraéstructure.

 

you can view chanpter   7 of Docuementation : concept é example screen OS reference guide you can set and manage traffic with policy 

 

thnaks you 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

fahi Mehdi, the fact is like that. CPU also increase but not as much as when we deploy l2. btw what is determine speed of ftp transfer and size of the packet ?

 

 

Thanks

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008

Re: FTP traffic Cause CPU High

Hi,

 

If possible, I would recommend you try using the built-in traffic shaping feature using a Policy.  For example, you could cap the FTP BW and run some more tests.  This may help prevent the large FTP transfers from chewing up all the resources.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

hi John,

 

thanks fo reply. does if we do traffic shaping the cpu wont increase?. do u have another way to solve this issue ? because i think if we do traffic shaping, cpu will use to shape the traffic. CMIIW

 

 

Thanks

Super Contributor
Posts: 240
Registered: ‎08-19-2008
0

Re: FTP traffic Cause CPU High

[ Edited ]

Hi

 ELKIM 

 

 i sent you from my last post you can use traffic shaping  chanpter   7 of Docuementation : concept é example screen OS reference guide.

however may be cause this cpu ethier  screenOs Version  or anoumalouse packet could you try other screen OS recomanded by Juniper ?? 

 

from version 6.1.0r3 you can protect your CPU section 

Configuration >>>>> CPU Protection.

 

and I advise you to take contact with suppot.

 

 

Message Edited by mehdi on 04-20-2009 08:20 AM
**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0

Re: FTP traffic Cause CPU High

Hi,

 

The reason why I think TS will help is because it will reduce the PPS (Packets Per Second) entering your box.  Without shaping, your box is accepting and processing all packets during the transfer.  Since it would be treated as a single session, the switching peive should be handled out of memory and the onboard ASIC.  In my opinion, this is your best option and I don't think it's a risky test.  Give it a go and let me know.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: FTP traffic Cause CPU High

Hmm, actually I think FTP may be triggering the CPU high also partially becos its ALG traffic:

 

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

 

I think you can try to have 2 specific policies :

NS208-> set pol top from trust to untrust any any FTP permit
policy id = 4
NS208-> set pol id 4 application ignore

NS208-> set pol from trust to untrust any any any permit

 

Pol 4 will ignore the ALG processing and the nxt policy will permit the dynamic ports.

 

Take note that you have to have the permit any policy facing the side where the server is starting up the data connection(if you are using active FTP). If its passive then you need to have the policy from where the CLIENT starts up the data connect.

 

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

hi WL,

 

Could you explain me more detail about this command. what do u want show to me, sorry i still dont know.

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

 

for policy i know what u mean .

 

 

Thanks

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: FTP traffic Cause CPU High

[ Edited ]

Basically that just shows you what kind ALG you have on the firewall. The cmd is different on later SOS eg 6.0  as we use:

"get alg " to show what ALGsare enabledon the firewall

Message Edited by WL on 04-20-2009 09:11 PM
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

hi WL,

 

thx for update. i already set the policy that u suggest. but the cpu still goes high. then i try to set traffic shaping like mehdi and john suggest and the result cpu not quite high,

 

btw i have another question. i only setup 2 interface with eth3 on v1-untrust and eth4 on v1-trust. i set maximum bandwidth to 5000kbps. and inject only FTP traffic. but why the FTP traffic only takes 1500kbps not 5000kbps ?

 

 

thanks

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0

Re: FTP traffic Cause CPU High

Hi,

 

Did you set the Traffic Shaping on the Policy or did you set the BW on the interface?

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

hi John,

 

i set traffic shaping on policy. set only on max bw field.

 

 

 Thanks

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0

Re: FTP traffic Cause CPU High

OK, I would try to enable "Counting" on the Policy as well.  Then login to the WebUI during a transfer, go to the policy, and hit the hour glass icon.  This should tell you how much Bandwidth is in use through the Firewall for that Policy.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Super Contributor
Posts: 231
Registered: ‎12-01-2008
0

Re: FTP traffic Cause CPU High

hi John,

 

thx for info. i would try it tomorrow cause i'm out of office right now. btw do u have messenger like yahoo or msn for quick chat?

 

i also wanna ask you about traffic shaping 

 

 

thanks

Distinguished Expert
Posts: 826
Registered: ‎05-04-2008
0

Re: FTP traffic Cause CPU High

Sure, my yahoo id is fir3wall72 and my gmail is firewall72.
John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.