Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

CPU maxes out & all traffic stops passing

We are using an 800 running 2.8 MR4. On Friday, we were on 2.5 MR8, were having same cpu maxed out problems, so we were told to upgrade. The problem still exists, wondering if anyone else is experiencing same issues. We are a wireless ISP with somewhere around 900+ customers coming through the core. The 800 sits at the core, and all traffic goes through it. When all traffic stops, bossman gets upset, so I need a fix soon!! I have been noticing that it' s been detecting code red viruses, not seeing it in the logs, but in the recent virus detections on system status page. Wondering if it' s really dropping those entries, or if it' s passing it to adjacent routers?? Is anyone else experiencing cpu maxing out?
24 REPLIES 24
Not applicable

High CPU has been a constant problem for us. I had a 800 before with a 25 Mb DS3 link and it constantly ran at above 80% and eventually 98%-100% and all WEB traffic would stop. I just upgraded to a fortigate 1000 runng 2.50 MR10. It is still running at aroud 90% and we had some traffic stopped occassionally when the CPU shoots up. I turn off all disk logging and it seems to run a little better but CPU usage still shoot up to 75%-80%. I have a few fortigate 100s, the one without a hard drive. They seem to be okay and never gave me a problem. But then again those unit typically only connect to a T-1 or DSL with much less traffic. I am afraid to upgrade my 1000 to 2.80 MR4. Their web site claims that the fortigate 1000 will support Gb link. I reaaly do not see how that is possible, maybe you have to turn off all anitivirus and IDS/IPS scanning. Then what is the point?! Please let me know how you make out with your issue. I am interested to know. Thanks
Not applicable

Yes, if we turn off all virus scanning, it does bring the cpu down to where it should be, however, the only thing we' re using this for is for the virus protection & IDS. So if we can' t use those function, the box is really no good to us.
Not applicable

We have experienced similar things lately. We have 2 FG400s in an Active-Active HA group running v2.50 MR9. I also monitor these firewalls via 2 SNMP checks for high session count (possible virus in the network) and system uptime (to see if it recently rebooted). Both of these checks started going crazy yesterday. However, when I checked the firewalls, they seemed fine. When these alerts happened, the connection to any Internet site was extremely sluggish and accessing our websites from outside was as well. Furthermore, accessing the web-based GUI was not happening. After several alerts sent to me, I checked the firewall again and my secondary firewall showed up with a red circle and X in the cluster members section of the GUI. Monitoring only showed the local firewall. We suspected just about everything but the units themselves - our network switches, the switch going to the Internet router, the cable for HA - but it turns out there seems to be an issue with the latest antivirus update that was pushed to us. After spending a while on the phone with support last night, this was the conclusion that we reached. I was told to either go to MR 10 or I could disable the AV scanning on the rules using HTTP. Apparently, Fortinet R&D is researching this " known issue" and hope to have something to fix this soon if not today. In the meantime, we have disabled AV scanning on the HTTP traffic to our published websites. Not a great solution since we bought the Fortinets for their AV capability.
gregs
New Contributor

Let me add my 2 cents. I have a FG3600 OS 2.8, + hard disk. CPU usage is constant 70% with spikes to 93% only 2500 sessions 28% memory used. I only have a 6Mb internet connect at this point, it is supposed to handle Gb. We will be going to a 100Mb connect in the near future. I am very concerned now that this box will not handle the traffic. My reseller tells me 70% is ok but any higher is a problem. I have tuned off ALL logging today to see if it makes a difference, it does not. Perhaps I need to open a support incident to resolve the problem. Greg
Not applicable

gregs, with a 3600 running at CPU usage of 70% on only a 6Mbit connection, I would definitely call Fortinet and get a case open. I would think this would be a cause for concern. The big selling point of these boxes from a technical perspective is the ASIC. This is supposed to offload AV, IDS, Policy Checking and IPSec from the CPU to give better performance. The 3600 should be able to handle 6Mbit with it' s hands tied behind it' s back (figuratively speaking).
Not applicable

Greg, Are you running 2.80 MR3 or MR4? MR3 is crap and our fotigate 1000 box with a 25Mb DS3 was running at constant 90+%. I had to downgrade it to 2.50MR10. I will not upgrade to 2.80 MR4 untill I get more feedback. Even with 2.50 MR10, CPU usage will spike above 80% when internet traffic hits above 6~7 Mb/s and higher if it goes above 10 Mb/s. Their marketing material stated that my fortigate 1000 can support up to a Gb link. I have no idea where they base that on ?
Not applicable

Yes, we are running 2.8 MR4 now. On Friday when we were totally down, we were told that the software we were on (2.51 MR8) was so old, that it had performance issues. He said that any 2.8 would be much better at managing the cpu, however, we figured since we were down anyway, we' d go ahead & bump all the way up to the top level. That way when we' d call for support and they tell you to " upgrade the software" (again) we' d already be at the highest and they' d have to escalate the issue to someone who has a better answer.
Not applicable

I have similar problem last 2 days. I just get connection loss and can not use fw GUI or ssh. I need some suggestion.My device is 800 now with 2.50 MR9 , url block on and disable IDS feature now.
Not applicable

We' ve experienced a similar problem as discussed HERE We don' t use AV for HTTP traffic however. The problem we had was a result of POP traffic. It appears that going to MR10 resolved our issues (no more problems late yesterday or so far today)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors