FWSM 3.2(3) bug? or different problem? or config mistake?

Unanswered Question
Mar 23rd, 2008

FWSM cpu high level (90%-100%) by periods..

I think bug on 3.2(3) but not certainly

I found bug

1. tcp-normalizer

2. High CPU in http inspection

add "show process" file (normal,problem)

please help me..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
limtohsoon Mon, 06/09/2008 - 02:02

Hi Jay,

I have an FWSM running software version 3.1(8). It was upgraded from version 2.3(3).

After the upgrade, end-user complain of slow SQL transfer across the FWSM.

I suspect I'm hitting the bug ID CSCsl71684 (FWSM 'inspect sqlnet' can lead to TCP drops when short inter-packets gap).

The workarounds are:

1 disable inspect sqlnet

2 enable inspect sqlnet but disable tcp normalizer

3 do smaller data transfers (-> resulting in smaller rapid burst of TNS data packets)

4 upgrade FWSM to 3.1.9 or 3.2.

Is it advisable to disable TCP normalizer (using "no control-point tcp-normalizer" command)? What's the impact? I'd like to test disabling TCP normalizer and see the effect on the SQL transfer before I upgrade it to version 3.1(9) or 3.2.

Please advise.

Thank you.

B.Rgds,

Lim TS

Farrukh Haroon Mon, 06/09/2008 - 04:26

Can you post the configuration of the following command (captured at various intervals):

show processes cpu-hog

Also as others have suggested, did you try to disable the TCP normalizer using:

no control-point tcp-normalizer

Regards

Farrukh

limtohsoon Mon, 06/09/2008 - 15:44

Hi Farrukh,

Is it recommended to disable TCP normalizer (using "no control-point tcp-normalizer" command)? What's the impact?

Thank you.

B.Rgds,

Lim TS

Farrukh Haroon Mon, 06/09/2008 - 17:49

This is the official description:

"For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM. You can disable the limited TCP normalization support for the FWSM using the no control-point tcp-normalizer command."

Please note its not recommended to disable it, consider this a transient step to fix the HIGH CPU issue.

Regards

Farrukh

Actions

This Discussion