How to Troubleshoot High CPU Utilization on Check Point Edge Devices Objective

Transcription

How to Troubleshoot High CPU Utilization on Check Point Edge Devices Objective
How to Troubleshoot High CPU
Utilization on Check Point Edge
Devices
Objective
This document explains the steps for troubleshooting High CPU Utilization on Check Point centrally managed
UTM-1 Edge Appliances.
Details
Supported Versions

Edge firmware 8.2.x and UP
Supported Appliances

UTM-1 Edge X Series

UTM-1 Edge N Series
Before You Start
Related Documentation and Assumed Knowledge

sk67760, sk66800, sk35913, sk66440, sk65846

How-To-RMA-Edge
Troubleshooting High CPU
To find the root cause of the High CPU Utilization:
1. Connect to the edge device using SSH and run the command "info dev". The information on CPU
utilization of the edge device will appear.
2. In SmartDashboard - go to the SmartDefense / IPS tab assigned to Edge device and deactivate it.
©2012 Check Point Software Technologies Ltd. All rights reserved.
Classification: [Restricted] ONLY for designated groups and individuals
|
P. 1
3. Make sure local SmartDefense disabled (Set to Minimal)
4. Delete or disable unnecessary NAT rules. Avoid using groups as source and destination in the remaining
active NAT rules.
5. Create a dedicated policy under different name with any->any accept rule and push it to the edge device.
6. Disconnect the edge device from the management center.
If you see high traffic latency and VPN failures during high CPU load on your edge
device, which are caused by simultaneous pings passing through it, upgrade Edge
firmware to version: 8.2.50

If the CPU load on Edge device rises to 100% when file is transferred through Edge
device over PPTP VPN Tunnel, also upgrade to new the v8.2.50 firmware. (Fix to improve
the process of the GRE packets in both directions was integrated into firmware 8.2.50)
IMPORTANT NOTE: If ICMP traffic is present in customer’s environment, the ICMP improvements should be
enabled (by default they are disabled).
To enable the ICMP improvements:
Open an SSH session (either in Edge UI go to Setup > Tools > Command, or using an SSH client of
your choice) and run this command :
set enhanced cache-icmp true
To enable the ICMP improvements permanently:
1. Export the current configuration
A. Open Internet Explorer (only) browser window
B. From Edge UI go to Setup > Tools > Export
2. Edit the exported configuration file
©2012 Check Point Software Technologies Ltd. All rights reserved.
Classification: [Restricted] ONLY for designated groups and individuals
|
P. 2
A. Open the file in a text editor
B. Add these command lines above the last line in the file
set enhanced cache-icmp true
# END Configuration script
3. Save the modified configuration file
4. Import the modified configuration file
A. Open Internet Explorer (only) browser window
B. From Edge UI go to Setup > Tools > Import
C. Check the output for errors/failures
Completing the Procedure
If you still experience High CPU Utilization on the edge device after performing the steps above, do
these steps:
1. From LAN go to http://Edge_LAN_IP_Address/pub/test.html, from WAN go to
https://Edge_WAN_IP_Address:981/pub/test.html
2. If Hardware Status shows NAND=1, install relevant firmware via TFTP. Refer to the SK article sk37668.
NOTE: When installing firmware via TFTP, both Primary flash memory and Backup flash memory get
erased.
3. If Hardware Status shows NAND=0, it indicates a hardware issue and we will RMA this unit.
If none of the above steps solved the issue you should contact Check Point support for
further troubleshooting with the following information:
1. Configuration from UTM-1 Edge (GUI - Setup - Tools - Export ; use Internet Explorer browser only)
2. Diagnostics from UTM-1 Edge (GUI - Setup - Tools - Diagnostics - SCROLL to the bottom - Save as
HTML)
3. Screenshot of the Status window from UTM-1 Edge (GUI - Reports - Status)
4. Event Log from UTM-1 Edge (GUI - Logs - Event Log - Save)
5. Security Log from UTM-1 Edge (GUI - Logs - Security Log - Save)
6. Packet Sniffer (GUI - Setup - Tools Capture network traffic > Sniffer)
7. CPinfo from the Management (SmartCenter)
©2012 Check Point Software Technologies Ltd. All rights reserved.
Classification: [Restricted] ONLY for designated groups and individuals
|
P. 3