'clish' and 'confd' processes consume CPU at high level after SSH session for non-local TACACS user has been expired/killed.
Running strace (provided by Check Point Support) on clish process of expired non-local user session shows:
socket(PF_UNIX, SOCK_STREAM, 0) = 13 setsockopt(13, SOL_SOCKET, SO_SNDBUF, [65536], 4) = 0 setsockopt(13, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0 connect(13, {sin_family=AF_UNIX, path="/tmp/xgets"}, 13) = 0 write(13, "\1\3\0\0\0:\0\0\0\0\0\0\1\0\0\7USERNAME\0\0\0\0volat"..., 70) = 70 select(1024, [13], NULL, NULL, {10, 0}) = 1 (in [13], left {9, 999000}) read(13, "\2\3\0\0\0\0\0\0\0\0\0\0", 12) = 12 close(13) = 0 unlink(umovestr: Input/output error 0x2) = -1 EFAULT (Bad address) uname({sys="Linux", node="HOSTNAME", ...}) = 0 getuid32() = 0
'clish' keeps running the session for expired TACACS non-local SSH session.
'clish' does not delete socket bindings after TACACS non-local SSH session has been expired.