PIX 515 V7.2(2) has 85% CPU Utilization, please help

Answered Question
Oct 2nd, 2007
User Badges:

Hi,


I have PIX 515UR Ver 7.2(2), the unit has 256 MB memory.


I find that the CPU usage is showing constantly around 80% during day time usage.


The ?sh proc? and '?sh proc cpu-hog? output shows that 'dispatch unit' takes up most of the cpu. See below:


------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 89%; 1 minute: 85%; 5 minutes: 83%

------------------ show cpu hogging process ------------------

Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 356, LASTHOG: 360

LASTHOG At: 16:36:44 UTC Oct 1 2007

PC: 1044803

Traceback: 89e435 89eac9 2f47e2 2f4c69 2ed253 74bbd7 7411ce

c3a905 c3ae4f c3b334 740fab 74bf38 77b2f6 74e04d

------------------ show process ------------------

PC SP STATE Runtime SBASE Stack Process

Mwe 00c72c7c 01caa320 013a9360 9 016f63a0 15616/16384 emweb/cifs

Lwe 001071fc 01729db4 013a93d0 0 01727de0 8132/8192 block_diag

Mrd 002190dc 01b5adfc 013a9470 32179294 01b52e78 26104/32768 Dispatch Unit


I restarted the unit but it comes back to same status during day time. Please advise what could be the reason of such high cpu utilization by ?dispatch unit? process and how to rectify the issue.

Thanks

Khalid


Correct Answer by gfullage about 9 years 8 months ago

Dispatch Unit handles the general processing of packets, along with the handing off of layer-7 inspected packets to the relevant inspection engine. If this is high you're most probably inspecting too many packets at layer-7, so look at what protocols you have "inspect ..." statements for, then try to figure out if you're sending too much traffic to them. "sho service-policy" on a 7.x/8.x PIX will give you an idea of the amount of traffic each inspection engine is seeing.


Other than that it may just be that you're hammering this PIX with too many packets. Do a "sho traffic" to get an idea of how much traffic is passing through the interfaces, and make sure you're not over-running the device. A 515 (non-E) can only handle about max 100Mbps of throughput, much less if you're inspecting a lot of it or encrypting, etc.


Also have a read of http://www.cisco.com/warp/public/110/pixperformance.html as it may give you a few ideas.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
gfullage Tue, 10/02/2007 - 20:41
User Badges:
  • Cisco Employee,

Dispatch Unit handles the general processing of packets, along with the handing off of layer-7 inspected packets to the relevant inspection engine. If this is high you're most probably inspecting too many packets at layer-7, so look at what protocols you have "inspect ..." statements for, then try to figure out if you're sending too much traffic to them. "sho service-policy" on a 7.x/8.x PIX will give you an idea of the amount of traffic each inspection engine is seeing.


Other than that it may just be that you're hammering this PIX with too many packets. Do a "sho traffic" to get an idea of how much traffic is passing through the interfaces, and make sure you're not over-running the device. A 515 (non-E) can only handle about max 100Mbps of throughput, much less if you're inspecting a lot of it or encrypting, etc.


Also have a read of http://www.cisco.com/warp/public/110/pixperformance.html as it may give you a few ideas.

kymalik Fri, 10/05/2007 - 07:55
User Badges:

Hi.

I appreciate your help. I performed a show service-policy and saw

a ton of hits/drops on the DNS inspection entry. I removed the policy

which did not help at all. So I fired up a sniffer and DNS was over 50%

of the packets. We couldn't isolate any issue on the DNS server, and

every time we reset the process, the problem would return in an hour or

so... so we finally reboot the DNS server and we haven't seen any

trouble since.

Kymalik

Actions

This Discussion