High CPU when traffic is dropped by fw

Support Center > Search Results > SecureKnowledge Details

High CPU when traffic is dropped by fw_workers

Technical Level

Solution ID	sk150812
Technical Level
Product	SecureXL
Version	R80.10 (EOL)
OS	Gaia
Platform / Model	All
Date Created	29-Apr-2019
Last Modified	16-Dec-2021

Symptoms

High CPU is observed when there is a high amount of dropped packets by fw_workers.
Although "drop templates" feature is enabled (as per sk90861), users still see the dropped traffic handled by fw_workers.

The output of fwaccel stats -d (to show the statistics of drops by SecureXL), does not show any increase of the drop templates section.

Example:
[Expert@Hostname:0]# fwaccel stats -d
Reason                Value              Reason                Value
--------------------  ---------------    --------------------  ---------------
general reason                  13478    CPASXL decision                     0
PSLXL decision                      0    clr pkt on vpn                      0
encrypt failed                      0    drop template                       0
decrypt failed                      0    interface down                      0
cluster error                       0    XMT error                           0
anti spoofing                    1901    local spoofing                      0
sanity error                        0    monitored spoofed                   0
QOS decision                        0    C2S violation                       0
S2C violation                       0    Loop prevention                     0
DOS Fragments                       0    DOS IP Options                      0
DOS Blacklists                      0    DOS Penalty Box                     0
DOS Rate Limiting                   0    Syn Attack                          0
Reorder                             0    Expired Fragments                   0

Cause

A lock in the code is preventing from drop templates to work correctly, as a result, the FW keeps offloading the dropped connections to SecureXL.

The CPU processing required for the instances (both for dropping traffic and offloading to SXL), resulting with high load over the CoreXL instances (relevant also to VSX).

Solution

Note: To view this solution you need to Sign In .