|
After upgrading to v7.2.9 or v7.2.10, there is an increase in overall system CPU usage caused by the IPS engine daemon running on different CPU cores.
diagnose sys top 2 50
Run Time: 2 days, 15 hours and 33 minutes
10U, 0N, 15S, 62I, 0WA, 1HI, 12SI, 0ST; 24140T, 15071F
ipsengine 4742 R < 63.5 1.2 1
ipsengine 4744 S < 36.0 1.2 10
ipsengine 4743 R < 34.5 1.1 3
ipsengine 4741 S < 29.5 1.1 0
ipsengine 4747 R < 29.5 1.1 6
ipsengine 4746 R < 27.5 1.1 5
ipsengine 4753 S < 23.5 1.1 13
ipsengine 4751 R < 22.5 1.1 11
ipsengine 4752 S < 22.0 1.1 12
ipsengine 4750 S < 20.0 1.1 14
ipsengine 4748 S < 19.5 1.1 7
ipsengine 4754 R < 19.0 1.1 15
ipsengine 4749 S < 19.0 1.1 9
ipsengine 4745 R < 19.0 1.1 4
get sys perf stat
CPU states: 15% user 34% system 0% nice 16% idle 0% iowait 0% irq 35% softirq
CPU0 states: 18% user 55% system 0% nice 17% idle 0% iowait 0% irq 10% softirq
CPU1 states: 20% user 5% system 0% nice 58% idle 0% iowait 0% irq 17% softirq
CPU2 states: 2% user 0% system 0% nice 9% idle 0% iowait 0% irq 89% softirq
CPU3 states: 6% user 3% system 0% nice 41% idle 0% iowait 0% irq 50% softirq
CPU4 states: 24% user 67% system 0% nice 4% idle 0% iowait 0% irq 5% softirq
CPU5 states: 2% user 9% system 0% nice 3% idle 0% iowait 0% irq 86% softirq
CPU6 states: 21% user 57% system 0% nice 1% idle 0% iowait 0% irq 21% softirq
CPU7 states: 26% user 71% system 0% nice 3% idle 0% iowait 0% irq 0% softirq
This issue is triggered only when:
- Application Control Security Profile is enabled in a firewall policy with proxy mode inspection.
- 'inspect-all' is enabled in the SSL/SSH Inspection profile.
This issue is fixed in IPSE versions v7.2.8:0345, v7.4.6:0551, and v7.6.1:1021. Refer to this KB article: Technical Tip: How to manually upgrade the IPS Engine
Workaround:
Downgrade the IPS engine to v7.00341 (open a support ticket for the TAC team to provide the file) and disable auto-update of the IPS Engine.
To disable the auto-update schedule, run the command below:
config system autoupdate schedule
set status disable
end
|
