ScreenOS Firewalls (NOT SRX)
Reply
Visitor
DinkumThinkum
Posts: 6
Registered: ‎04-04-2009
0

snoop - how likely it is to cause very high CPU utilization

I would like to know how safe is snoop to use in a production environment.

 

We had an issue yesterday where a simple snoop caused 90% CPU utilization on our SSG140.

 

The snoop was for traffic to a peer router (backup ISP, /30 subnet) where we should have only PING traffic.

There were two filters:

  ip src-ip <isp router ip>

  ip dst-ip <isp router ip>

 

It ran snoop for maybe a few seconds and the high load on the router started causing several second delays within our network.

 

I killed the snoop and the CPU use was back to normal 5%.

Trusted Contributor
yorel
Posts: 32
Registered: ‎07-23-2009
0

Re: snoop - how likely it is to cause very high CPU utilization

Take a look at this link:

 

http://kb.juniper.net/index?page=content&id=KB4493&actp=search&searchid=1250085069436

Visitor
DinkumThinkum
Posts: 6
Registered: ‎04-04-2009
0

Re: snoop - how likely it is to cause very high CPU utilization

I have already looked at the provided link.

 

I know that the CPU utilization can be higher when doing snoop. 

 

My question is how high can I expect it to be?

What is the chance that a snoop can raise the CPU use to 90%?

How to do a snoop that is safe and will not bring the router down.

Super Contributor
ELKIM
Posts: 227
Registered: ‎12-01-2008
0

Re: snoop - how likely it is to cause very high CPU utilization

Hi

 

May i know what screenOS do u use ?

 

 

Thanks

 

EL

Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: snoop - how likely it is to cause very high CPU utilization

This depends on how much traffic is hitting your filters.  If you have a filter that is not very specific, and you have a lot of traffic running through it, it can drive the CPU to 90% and higher.  This is why specifying the correct filter is so important with snoop and debug flow.  Keep in mind that every packet that matches the filter will have to be processed by the CPU, then written to a portion of flash.  Snoop and debug flow are two troubleshooting commands that will drive the CPU up high more than any other commands.

 

If you have no filters, and you have a lot of traffic, it can certainly drive the CPU up to 100%.

Super Contributor
arizvi
Posts: 287
Registered: ‎10-21-2008
0

Re: snoop - how likely it is to cause very high CPU utilization

  ip src-ip <isp router ip>

  ip dst-ip <isp router ip>

 

The above filters is capturing all the  packets from the ISP router and sending to the ISP router. It might be possible some other traffic is coming or going to the ISP router thats makes it to the HIGH CPU.

 

If you would like to capture the only ICMP packets, it is safe to use the following:

 

 

set ff src-ip  <isp router ip> ip-proto 1

set ff  dst-ip <isp router ip>  ip-proto 1             /x    ip-proto is to capture protocol number 1 which ICMP   x/

 

Thanks

Atif

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.