Description
This article describes a solution for lower-end model FortiGate with 2GB of RAM to avoid conserve mode due to ipshelper and high IO wait.
Scope
FortiGate v7.2, v7.4.
Solution
This was addressed and fixed in v7.4.6 and v7.6.1 and will be fixed in v7.2.11 once it is released. In case the problem persists, the workaround should be applied.
The following output is from FortiGate 60F with the issue:
get sys performance status
CPU states: 1% user 0% system 0% nice 54% idle 45% iowait 0% irq 0% softirq
CPU0 states: 5% user 3% system 0% nice 2% idle 89% iowait 0% irq 1% softirq
CPU1 states: 0% user 0% system 0% nice 53% idle 47% iowait 0% irq 0% softirq
CPU2 states: 0% user 0% system 0% nice 1% idle 99% iowait 0% irq 0% softirq
CPU3 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU4 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU5 states: 0% user 0% system 0% nice 52% idle 48% iowait 0% irq 0% softirq
CPU6 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU7 states: 6% user 0% system 0% nice 18% idle 76% iowait 0% irq 0% softirq
Memory: 1957612k total, 1690808k used (86.4%), 119700k free (6.1%), 147104k freeable (7.5%)
Average network usage: 662 / 723 kbps in 1 minute, 862 / 809 kbps in 10 minutes, 4436 / 4434 kbps in 30 minutes
Maximal network usage: 1817 / 1809 kbps in 1 minute, 31313 / 31307 kbps in 10 minutes, 39774 / 39771 kbps in 30 minutes
Average sessions: 2716 sessions in 1 minute, 1147 sessions in 10 minutes, 559 sessions in 30 minutes
Maximal sessions: 3058 sessions in 1 minute, 3058 sessions in 10 minutes, 3058 sessions in 30 minutes
Average session setup rate: 10 sessions per second in last 1 minute, 4 sessions per second in last 10 minutes, 2 sessions per second in last 30 minutes
Maximal session setup rate: 15 sessions per second in last 1 minute, 18 sessions per second in last 10 minutes, 20 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 1 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 3 days, 21 hours, 38 minutes
diag sys top-mem 30
ipshelper (192): 273509kB
node (191): 82268kB
ipsengine (16379): 73474kB
ipsengine (16378): 72402kB
ipsengine (16377): 71354kB
wad (15843): 50977kB
scanunitd (24178): 39431kB
wad (15845): 18091kB
reportd (190): 14976kB
cid (240): 14769kB
cw_acd (218): 14515kB
forticldd (181): 13230kB
cmdbsvr (142): 13164kB
miglogd (189): 11914kB
forticron (180): 10393kB
csfd (236): 8041kB
miglogd (325): 7793kB
dnsproxy (243): 7744kB
fgfmd (217): 7618kB
newcli (16408): 7369kB
wad (15834): 7049kB
nsm (151): 6827kB
initXXXXXXXXXXX (1): 6640kB
urlfilter (333): 5875kB
imi (314): 5744kB
bgpd (156): 5429kB
wad (15840): 5058kB
pdmd (160): 4663kB
ospfd (154): 4649kB
pimd (158): 4645kB
Top-30 memory used: 869611kB
diag sys top 1 30
Run Time: 3 days, 21 hours and 37 minutes
0U, 0N, 1S, 75I, 24WA, 0HI, 0SI, 0ST; 1911T, 127F
| newcli |
24183 |
R |
7.1 |
0.6 |
1 |
| sshd |
16407 |
S |
7.1 |
0.5 |
1 |
| ipshelper |
192 |
D < |
0 |
14.9 |
0 |
| ipsengine |
16379 |
D < |
0 |
7.4 |
5 |
| ipsengine |
16378 |
D < |
0 |
7.4 |
0 |
| ipsengine |
16377 |
D < |
0 |
7.3 |
0 |
| node |
191 |
S |
0 |
4.2 |
4 |
| wad |
15843 |
S |
0 |
3.6 |
4 |
| scanunitd |
24178 |
S < |
0 |
2.9 |
4 |
| miglogd |
189 |
D |
0 |
1.8 |
0 |
| cw_acd |
218 |
S |
0 |
1.6 |
0 |
| cmdbsvr |
142 |
S |
0 |
1.6 |
0 |
| forticron |
180 |
S |
0 |
1.5 |
3 |
| reportd |
190 |
S |
0 |
1.5 |
1 |
| wad |
15845 |
D |
0 |
1.4 |
0 |
| wad |
15834 |
S |
0 |
1.4 |
3 |
| forticldd |
181 |
S |
0 |
1.3 |
2 |
| csfd |
236 |
S |
0 |
1.2 |
2 |
| fgfmd |
217 |
S |
0 |
1.2 |
7 |
| initXXXXXXXXXXX |
1 |
S |
0 |
1.1 |
0 |
| httpsd |
175 |
S |
0 |
1.1 |
4 |
| newcli |
16408 |
S |
0 |
1.1 |
1 |
| miglogd |
325 |
D |
0 |
1.1 |
0 |
| dnsproxy |
243 |
S |
0 |
1 |
7 |
| cid |
240 |
S |
0 |
1 |
6 |
| extenderd |
235 |
S |
0 |
0.9 |
1 |
| fcnacd |
187 |
S |
0 |
0.8 |
6 |
| autod |
237 |
S |
0 |
0.8 |
2 |
| updated |
197 |
S |
0 |
0.8 |
5 |
| urlfilter |
333 |
S < |
0 |
0.8 |
7 |
Workaround:
config ips global
set np-accel-mode none
set cp-accel-mode none
end
More info on np-accel-mode and cp-accel-mode:
Technical Tip: IPSA offloads flow-based advanced pattern matching
Technical Tip: Nturbo functions within FortiOS
IPSA offloads flow-based pattern matching
NTurbo and IPSA
Related articles:
Technical Tip: FortiGate is entering into Conserve Mode during FortiGuard Updates
Technical Tip: Reduce memory usage by reducing the number of spawned daemons
