FWSM 3.2(3) bug? or different problem? or config mistake?

Unanswered Question
Mar 23rd, 2008
User Badges:

FWSM cpu high level (90%-100%) by periods..


I think bug on 3.2(3) but not certainly

I found bug

1. tcp-normalizer

2. High CPU in http inspection


add "show process" file (normal,problem)

please help me..



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jay Johnston Mon, 03/24/2008 - 11:28
User Badges:
  • Cisco Employee,

So if you disable the tcp normalizer you don't see the problem?

limtohsoon Mon, 06/09/2008 - 02:02
User Badges:

Hi Jay,


I have an FWSM running software version 3.1(8). It was upgraded from version 2.3(3).


After the upgrade, end-user complain of slow SQL transfer across the FWSM.


I suspect I'm hitting the bug ID CSCsl71684 (FWSM 'inspect sqlnet' can lead to TCP drops when short inter-packets gap).


The workarounds are:


1 disable inspect sqlnet

2 enable inspect sqlnet but disable tcp normalizer

3 do smaller data transfers (-> resulting in smaller rapid burst of TNS data packets)

4 upgrade FWSM to 3.1.9 or 3.2.



Is it advisable to disable TCP normalizer (using "no control-point tcp-normalizer" command)? What's the impact? I'd like to test disabling TCP normalizer and see the effect on the SQL transfer before I upgrade it to version 3.1(9) or 3.2.


Please advise.



Thank you.


B.Rgds,

Lim TS


Farrukh Haroon Mon, 06/09/2008 - 04:26
User Badges:
  • Red, 2250 points or more

Can you post the configuration of the following command (captured at various intervals):


show processes cpu-hog


Also as others have suggested, did you try to disable the TCP normalizer using:


no control-point tcp-normalizer


Regards


Farrukh

limtohsoon Mon, 06/09/2008 - 15:44
User Badges:

Hi Farrukh,


Is it recommended to disable TCP normalizer (using "no control-point tcp-normalizer" command)? What's the impact?



Thank you.


B.Rgds,

Lim TS


Farrukh Haroon Mon, 06/09/2008 - 17:49
User Badges:
  • Red, 2250 points or more

This is the official description:


"For traffic that passes through the control-plane path, such as packets that require Layer 7 inspection or management traffic, the FWSM sets the maximum number of out-of-order packets that can be queued for a TCP connection to 2 packets, which is not user-configurable. Other TCP normalization features that are supported on the PIX and ASA platforms are not enabled for FWSM. You can disable the limited TCP normalization support for the FWSM using the no control-point tcp-normalizer command."


Please note its not recommended to disable it, consider this a transient step to fix the HIGH CPU issue.


Regards


Farrukh

Actions

This Discussion