SSG-520M High CPU Utilization.

  • Hi Experts,

    We have SSG-520M Juniper Firewall configured as active/passive mode.
    During installation we found that the device cpu utilization is more than 78% without any traffic, only ports are connected with Extreme switch (default Configuration).

    we have modify ports speed manually from Firewall and Switch for three (3) ports out of four (4). One port was down (eth0/1) as it was not required on that time.

    set interface ethernet0/2 phy full 1000mb

    configure ports 44 auto on speed 1000 duplex full

    After fix ports speed from both side CPU utilization reduced to 2% and it works fine.

    When we have configured the firewall port eth0/1 with 1000mb from both side, CPU utilization again more than 78%.

    Where as we have configured that port accordingly. But CPU utilization increased 78%.

    How could be this problem will solve. I can’t keep down that Interface.

    Best regards

  • Dear ,

    Thanks for your reply. I have check that you have mention and i found some

    illegal pak    132039389 | tiny frag              0 | sa inactive            0
    url block              0 | syn frag              0 | sa policy deny        0
    encrypt fail          0 | connections            4 | policy deny        7017
    mp fail                0 | misc prot              0 | auth deny              0
    auth fail              0 | loopback drop          0 | big bkstr              0
    proc sess              0 | mal url                0 | sessn thresh          0
    invalid zone          0 | null zone              0 | no nsp-tunnel          0
    IP cls failure        0 | first pak frag        0 | unknown pak  2568498204

    traffic is there which i have to filter , now how can i know what type of packet is it ? and how can i know the current throughput of that device (Firewall).

    Thanks again.

    1. Determine if you have a fragmentation issue.

    a. Review flow stats on all interfaces looking for fragmentation:  get counter flow

    b. Review session stats and look for fragmentation:  get session frag

    c. Clear session stats and see if they continue to increment:  clear session frag

    1. Determine if you have a large PPS issue. Packet capture the firewall’s interface(s).

    a. Also ensure you are not receiving fragmented packets:  get count stat  -or- get count stat int e1

    3)  Review session counters on ingress and egress interfaces to see if the numbers are close, if the egress interface is larger in count than the ingress, then the firewall is fragmenting.

    1. Hack around with implementing path-mtu:

    a. set flow path-mtu

    b. set interface e1 pmtu ipv4

    1. Hack around with implementing MSS (this ONLY affects TCP, UDP and other IP traffic is not affected).

    a. set flow tcp-mss    <  for encrypted traffic only

    b. set flow all-tcp-mss    <  for all unencrypted traffic