'clish' and 'confd' processes consume CPU at high level after SSH session for non-local TACACS user has been expired/killed

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk104579
Product	Security Gateway
Version	R77.10, R77.20, R77.30
OS	Gaia
Platform / Model	All
Date Created	05-Feb-2015
Last Modified	24-Jun-2018

Symptoms

'clish' and 'confd' processes consume CPU at high level after SSH session for non-local TACACS user has been expired/killed.

Running strace (provided by Check Point Support) on clish process of expired non-local user session shows:

socket(PF_UNIX, SOCK_STREAM, 0) = 13
setsockopt(13, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0
setsockopt(13, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0
connect(13, {sin_family=AF_UNIX, path="/tmp/xgets"}, 13) = 0
write(13, "\1\3\0\0\0:\0\0\0\0\0\0\1\0\0\7USERNAME\0\0\0\0volat"..., 70) = 70
select(1024, [13], NULL, NULL, {10, 0}) = 1 (in [13], left {9, 999000})
read(13, "\2\3\0\0\0\0\0\0\0\0\0\0", 12) = 12
close(13) = 0
unlink(umovestr: Input/output error 0x2) = -1 EFAULT (Bad address)
uname({sys="Linux", node="HOSTNAME", ...}) = 0
getuid32() = 0

Multiple Clish process running consuming high cpu

Cause

'clish' keeps running the session for expired TACACS non-local SSH session.

'clish' does not delete socket bindings after TACACS non-local SSH session has been expired.

Solution

Note: To view this solution you need to Sign In .