Support Center > Search Results > SecureKnowledge Details
High CPU on ClusterXL due to inspection of CCP packets Technical Level
Symptoms
  • High CPU utilization on ClusterXL resulted from inspection of CCP packets arriving from a remote cluster.
  • SecureXL is disabled / Drop templates are disabled.
  • There are performance issues and random packet drops.
  • Outputs can be seen in fw ctl zdebug drop:
    fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> x.x.x.0:8116 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule XXX;
    OR
    fw_log_drop_ex: Packet proto=17 0.0.0.0:8116 -> y.y.y.0:8116 dropped by fw_send_log_drop Reason: Rulebase reject - on layer "policy Security" rule XXX;
Cause

Several different clusters are sharing the same network segments. In this scenario, when the CCP mode is set to broadcast or multicast (per sk20576) , the CCP packets will reach neighbors clusters.

Internal CCPs originated from within the cluster are terminated upon process completion in the cluster level, however CCP packets arriving from the network (from remote clusters) are forwarded to the firewall for rule base inspection upon process completion in the cluster level in case it is a legitimate traffic arriving on port 8116.

This may lead, in some situations, to extremely high CPU consumption and performance impact.


Solution
Note: To view this solution you need to Sign In .