How to Troubleshoot High CPU Utilization on Check Point Edge Devices Objective
Transcription
How to Troubleshoot High CPU Utilization on Check Point Edge Devices Objective
How to Troubleshoot High CPU Utilization on Check Point Edge Devices Objective This document explains the steps for troubleshooting High CPU Utilization on Check Point centrally managed UTM-1 Edge Appliances. Details Supported Versions Edge firmware 8.2.x and UP Supported Appliances UTM-1 Edge X Series UTM-1 Edge N Series Before You Start Related Documentation and Assumed Knowledge sk67760, sk66800, sk35913, sk66440, sk65846 How-To-RMA-Edge Troubleshooting High CPU To find the root cause of the High CPU Utilization: 1. Connect to the edge device using SSH and run the command "info dev". The information on CPU utilization of the edge device will appear. 2. In SmartDashboard - go to the SmartDefense / IPS tab assigned to Edge device and deactivate it. ©2012 Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals | P. 1 3. Make sure local SmartDefense disabled (Set to Minimal) 4. Delete or disable unnecessary NAT rules. Avoid using groups as source and destination in the remaining active NAT rules. 5. Create a dedicated policy under different name with any->any accept rule and push it to the edge device. 6. Disconnect the edge device from the management center. If you see high traffic latency and VPN failures during high CPU load on your edge device, which are caused by simultaneous pings passing through it, upgrade Edge firmware to version: 8.2.50 If the CPU load on Edge device rises to 100% when file is transferred through Edge device over PPTP VPN Tunnel, also upgrade to new the v8.2.50 firmware. (Fix to improve the process of the GRE packets in both directions was integrated into firmware 8.2.50) IMPORTANT NOTE: If ICMP traffic is present in customer’s environment, the ICMP improvements should be enabled (by default they are disabled). To enable the ICMP improvements: Open an SSH session (either in Edge UI go to Setup > Tools > Command, or using an SSH client of your choice) and run this command : set enhanced cache-icmp true To enable the ICMP improvements permanently: 1. Export the current configuration A. Open Internet Explorer (only) browser window B. From Edge UI go to Setup > Tools > Export 2. Edit the exported configuration file ©2012 Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals | P. 2 A. Open the file in a text editor B. Add these command lines above the last line in the file set enhanced cache-icmp true # END Configuration script 3. Save the modified configuration file 4. Import the modified configuration file A. Open Internet Explorer (only) browser window B. From Edge UI go to Setup > Tools > Import C. Check the output for errors/failures Completing the Procedure If you still experience High CPU Utilization on the edge device after performing the steps above, do these steps: 1. From LAN go to http://Edge_LAN_IP_Address/pub/test.html, from WAN go to https://Edge_WAN_IP_Address:981/pub/test.html 2. If Hardware Status shows NAND=1, install relevant firmware via TFTP. Refer to the SK article sk37668. NOTE: When installing firmware via TFTP, both Primary flash memory and Backup flash memory get erased. 3. If Hardware Status shows NAND=0, it indicates a hardware issue and we will RMA this unit. If none of the above steps solved the issue you should contact Check Point support for further troubleshooting with the following information: 1. Configuration from UTM-1 Edge (GUI - Setup - Tools - Export ; use Internet Explorer browser only) 2. Diagnostics from UTM-1 Edge (GUI - Setup - Tools - Diagnostics - SCROLL to the bottom - Save as HTML) 3. Screenshot of the Status window from UTM-1 Edge (GUI - Reports - Status) 4. Event Log from UTM-1 Edge (GUI - Logs - Event Log - Save) 5. Security Log from UTM-1 Edge (GUI - Logs - Security Log - Save) 6. Packet Sniffer (GUI - Setup - Tools Capture network traffic > Sniffer) 7. CPinfo from the Management (SmartCenter) ©2012 Check Point Software Technologies Ltd. All rights reserved. Classification: [Restricted] ONLY for designated groups and individuals | P. 3