Technical Tip: Workaround for high CPU usage taking by 'iked.session' daemon in v7.6.1

yangw · ‎02-17-2025

Description

This article provides a workaround to resolve the 'iked.session takes CPU usage 99%' in v7.6.1 and v7.6.2.

Scope

FortiGate, v7.6.1 and v7.6.2

Solution

Verify the true cause:

NTP servers configured over IPsec (set ntpsync enable) are causing iked.session daemon to consume a high CPU of 99.9% in one core after upgrading to v7.6.1 and/or v7.6.2.

The command below can be used to trace the CPU usage consuming status to identify the issue, if related to the issue:

diagnose sys top 5 50 <----- Run it for 20 seconds, press 'q' to quit the sys top.
diagnose debug crashlog read

There is no direct correlation with NTP sync configuration, the issue can present itself even without the 'set ntpsync enable' config.

Debug output:

4U, 0N, 7S, 89I, 0WA, 0HI, 0SI, 0ST; 16046T, 8407F
iked 489 R 99.9 0.2 4

2025-02-07 01:53:19 <00489> firmware FortiGate v7.6.1,build3457b3457,241127 (GA.F) (Release)
2025-02-07 01:53:19 <00489> application iked.session
2025-02-07 01:53:19 <00489> *** signal 11 (Segmentation fault) received ***

Action plan:

If the debug log matches, it would match the issue. Arrange an available time to upgrade the firmware to v7.6.3.

The issue is triggered by the IKE TCP session stuck in the 'close_wait' state.

diagnose sys tcpsock | grep iked

10.10.10.10:4500->192.168.20.20:41644->state=close_wait err=0 socktype=1 rma=4928 wma=0 fma=3264 tma=0 inode=364430203 process=14251/iked

Technical Tip: Workaround for high CPU usage taking by 'iked.session' daemon in v7.6.1

You are leaving our website