ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

FTP traffic Cause CPU High

04.19.09   |  
‎04-19-2009 04:29 AM

Hi All,

 

i have a problem with my Ns208.  When FTP transfer Occured CPU goes high ( can reach 80 %). but after FTP transfer finish. CPU in normal state.

 

and from JTAC pre-analysis the problem caused by box capacity which total throuput at that time is 100 Mbps and average packet size is less that 200 byte.

 

i try to replicate this problem in my lab using NS25 and deploy transparent mode after that i inject ftp traffic 8gb rar file. when ftp occured cpu also goes high.  i also replicate this issue using l3 mode. and cpu also increase but not high as we deploy L2 mode.

 

is it any different behavior related to FTP traffic when we deploy firewall as L2 and L3 mode. btw could we setting the packet size of the data ?

 

 

Thanks

 

ELkim

15 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.19.09   |  
‎04-19-2009 06:40 AM

Hi

 

i think its isen't very different betwenn L2 & L3 regarding traffic, usully the l2 is deployed when the administrator need to implementing FW without any change thier setting or network infraéstructure.

 

you can view chanpter   7 of Docuementation : concept é example screen OS reference guide you can set and manage traffic with policy 

 

thnaks you 

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.19.09   |  
‎04-19-2009 07:04 PM

fahi Mehdi, the fact is like that. CPU also increase but not as much as when we deploy l2. btw what is determine speed of ftp transfer and size of the packet ?

 

 

Thanks

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author ELKIM
‎08-26-2015 01:27 AM

Re: FTP traffic Cause CPU High

04.19.09   |  
‎04-19-2009 08:44 PM

Hi,

 

If possible, I would recommend you try using the built-in traffic shaping feature using a Policy.  For example, you could cap the FTP BW and run some more tests.  This may help prevent the large FTP transfers from chewing up all the resources.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.19.09   |  
‎04-19-2009 10:15 PM

hi John,

 

thanks fo reply. does if we do traffic shaping the cpu wont increase?. do u have another way to solve this issue ? because i think if we do traffic shaping, cpu will use to shape the traffic. CMIIW

 

 

Thanks

ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

[ Edited ]
04.20.09   |  
‎04-20-2009 12:17 AM

Hi

 ELKIM 

 

 i sent you from my last post you can use traffic shaping  chanpter   7 of Docuementation : concept é example screen OS reference guide.

however may be cause this cpu ethier  screenOs Version  or anoumalouse packet could you try other screen OS recomanded by Juniper ?? 

 

from version 6.1.0r3 you can protect your CPU section 

Configuration >>>>> CPU Protection.

 

and I advise you to take contact with suppot.

 

 

Message Edited by mehdi on 04-20-2009 08:20 AM
**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.20.09   |  
‎04-20-2009 05:16 AM

Hi,

 

The reason why I think TS will help is because it will reduce the PPS (Packets Per Second) entering your box.  Without shaping, your box is accepting and processing all packets during the transfer.  Since it would be treated as a single session, the switching peive should be handled out of memory and the onboard ASIC.  In my opinion, this is your best option and I don't think it's a risky test.  Give it a go and let me know.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.20.09   |  
‎04-20-2009 03:49 PM

Hmm, actually I think FTP may be triggering the CPU high also partially becos its ALG traffic:

 

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

 

I think you can try to have 2 specific policies :

NS208-> set pol top from trust to untrust any any FTP permit
policy id = 4
NS208-> set pol id 4 application ignore

NS208-> set pol from trust to untrust any any any permit

 

Pol 4 will ignore the ALG processing and the nxt policy will permit the dynamic ports.

 

Take note that you have to have the permit any policy facing the side where the server is starting up the data connection(if you are using active FTP). If its passive then you need to have the policy from where the CLIENT starts up the data connect.

 

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.20.09   |  
‎04-20-2009 07:56 PM

hi WL,

 

Could you explain me more detail about this command. what do u want show to me, sorry i still dont know.

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

 

for policy i know what u mean .

 

 

Thanks

ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

[ Edited ]
04.20.09   |  
‎04-20-2009 09:10 PM

Basically that just shows you what kind ALG you have on the firewall. The cmd is different on later SOS eg 6.0  as we use:

"get alg " to show what ALGsare enabledon the firewall

Message Edited by WL on 04-20-2009 09:11 PM
****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.20.09   |  
‎04-20-2009 11:25 PM

hi WL,

 

thx for update. i already set the policy that u suggest. but the cpu still goes high. then i try to set traffic shaping like mehdi and john suggest and the result cpu not quite high,

 

btw i have another question. i only setup 2 interface with eth3 on v1-untrust and eth4 on v1-trust. i set maximum bandwidth to 5000kbps. and inject only FTP traffic. but why the FTP traffic only takes 1500kbps not 5000kbps ?

 

 

thanks

ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.21.09   |  
‎04-21-2009 05:36 AM

Hi,

 

Did you set the Traffic Shaping on the Policy or did you set the BW on the interface?

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.21.09   |  
‎04-21-2009 06:12 AM

hi John,

 

i set traffic shaping on policy. set only on max bw field.

 

 

 Thanks

ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.21.09   |  
‎04-21-2009 06:20 AM

OK, I would try to enable "Counting" on the Policy as well.  Then login to the WebUI during a transfer, go to the policy, and hit the hour glass icon.  This should tell you how much Bandwidth is in use through the Firewall for that Policy.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.21.09   |  
‎04-21-2009 06:52 AM

hi John,

 

thx for info. i would try it tomorrow cause i'm out of office right now. btw do u have messenger like yahoo or msn for quick chat?

 

i also wanna ask you about traffic shaping 

 

 

thanks

ScreenOS Firewalls (NOT SRX)

Re: FTP traffic Cause CPU High

04.21.09   |  
‎04-21-2009 07:11 AM
Sure, my yahoo id is fir3wall72 and my gmail is firewall72.
John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.