Be cautions when collecting CPU-intensive diagnostics such as IPS or WAD debugs. Collecting large volumes of diagnostics can impact network performance, particularly if this causes a CPU to be completely utilized due to high IRQ.

get sys performance status
CPU states: 0% user 1% system 0% nice 87% idle 0% iowait 12% irq 0% softirq
CPU0 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 1% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU2 states: 0% user 3% system 0% nice 97% idle 0% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU4 states: 0% user 1% system 0% nice 96% idle 0% iowait 0% irq 3% softirq
CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU6 states: 0% user 0% system 0% nice 0% idle 0% iowait 100% irq 0% softirq

CPU7 states: 0% user 2% system 0% nice 98% idle 0% iowait 0% irq 0% softirq

Some CPU usage from diagnostic commands is unavoidable; however, much of the IRQ CPU usage is due to user logs being sent to the console, or due to the WAD debug collecting 'unknown sessions' despite the application of a WAD filter. This can be prevented with the following commands.

Sending diagnostic messages to the console is not needed when collecting diagnostics over HTTPS or SSH connections. Unless collecting the log over console, disable logging to console with:

diagnose debug console no-user-log-msg enable

When filtering wad debugs, apply the following to drop all diagnostics that do not explicitly match the wad filter.

diagnose wad filter drop-unknown-session 1

Example debug for WAD:

diagnose debug console no-user-log-msg enable  <-- Use this command first
diagnose wad filter src 10.70.0.188
diagnose wad filter dst 10.10.10.10
diagnose wad filter drop-unknown-session 1
diagnose wad debug enable category http
diagnose wad debug enable level verbose
diagnose debug enable

To stop the debug: 

diagnose debug disable

diagnose wad debug clear

diagnose debug reset

diagnose wad filter clear

Note:

• Once the debugs are disabled and reset, they will be disabled as well; hence, it is required to enable them again when running relevant debug commands. 
• When starting the WAD debugs, the IP address filters do not apply to all categories of the debug, which can cause irrelevant WAD debug captures to display and contribute to CPU use. Apply ‘diagnose wad filter drop-unknown-session 1’ to prevent debug messages for these sessions. 
  
  

Verifying whether 'no-user-log' is enabled or disabled:
Run the command:

diagnose debug info
debug output: disable
console timestamp: disable
console no user log message: enable <----- After the command 'diagnose debug console no-user-log-msg enable'.
zebos debug level: 306783954 (0x124926d2)
CLI debug level: 3

Verifying whether 'drop-unknown-session' is enabled or disabled: 

Run the command:

diagnose wad filter list
drop unknown sessions: enabled <----- After the command 'diagnose wad filter drop-unknown-session 1'.