Technical Tip: EAP_Proxy consuming high CPU after upgrade to FortiOS v7.2.5 or v7.4.0
| Description | This article describes the workaround and fix schedule for an issue where the eap-proxy daemon utilizes high CPU after upgrading to FortiOS v7.2.5/v7.4.0 and uses certificate bundle 1.00044/1.00045/1.00046/1.00047. |
| Scope | FortiGate v7.2.1, v7.2.5, v7.4.0. |
| Solution | After upgrading to FortiOS v7.2.5 or v7.4.0, CPU utilization may be too high after the certificate bundle is upgraded from 1.00043 to 1.00044/1.00045/1.00046/1.00047.
All of the following FortiOS versions are affected:
To identify the daemon that uses a high CPU, run the command below:
diagnose sys top 1
In the following FortiGate that is running on FortiOS v7.2.5, it is observed that the eap_proxy daemon is running on a high CPU:
diagnose sys top 1
To confirm if the eap_proxy is having an issue, proceed to check the crash log with the following command:
diagnose deb crashlog read
The eap-proxy has been restarting every few seconds:
diagnose debug crashlog read
If FortiGate had recently upgraded the certificate bundle from 1.00043 to 1.00044, 1.00045, 1.00046, or 1.00047, the respective version matches a known bug. It is then necessary to check the certificate bundle version with the following command:
The trigger condition is not tied to certain certificate bundle versions. Any certificate bundle version upgrade can potentially trigger this behavior.
diagnose autoupdate versions | grep -A6 "Certificate"
If all three of the symptoms match, it would be a match to bug 923164 documented in the FortiOS v7.4.0 release note:
Workaround: Reboot FortiGate or restart the eap_proxy process in the CLI:
fnsysctl killall eap_proxy
To kill the process using the process ID, execute the following commands to find and kill the process:
diagnose sys process pidof eap_proxy diagnose sys kill 11 <process_id>
Solution:
|