Cisco IPS 4255 Sensor High CPU Utilization

Unanswered Question
May 4th, 2010
User Badges:

Hi,


We are facing high cpu utilization issue in Cisco IPS 4255 running software  Version 7.0(1)E3. We have checked in show tech and found 80.4% CPU is consumed by sensorApp. Also we have found no packet drops on the IPS interfaces.

Does anyone having any idea about this issue, I am attaching Show Tech from the device for reference.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Manjunatha Jayaram Tue, 05/04/2010 - 06:25
User Badges:

Hi Halijenn,


Thanks for the response.  I have gone through this bugid but  think this is not related to high CPU Utilization and is related to some sensorApp SignatureDB refcount integrity problem.

Please correct me if I am wrong.

Scott Fringer Tue, 05/04/2010 - 08:06
User Badges:
  • Cisco Employee,

Manohar;


  The message you are seeing in the 'sh tech' output is likely releated to bug CSCta02342.


  In general, since the release of the E3 analysis engine, there is a different queue processing algorithm that is implemented to efficiently process packet queues on the sensor.  Simply monitoring CPU utilization is not effective since the sensor is now making more use of idle CPU time.  You should instead monitor the Inspection Load of the sensor to understand how busy the sensor is.  In your case, the load was:


Processing Load Percentage = 28


  Also, as you are currently running IPS release 7.0(1)E3, you may want to consider upgrading to a release containing the E4 analysis engine as your sensor will no longer receive signature updates.


  For further investigation of any concerns, it would be a good idea to open a service request to receive direct TAC assistance.


Scott

Manjunatha Jayaram Tue, 05/04/2010 - 23:09
User Badges:

Hi Scott,


Thanks for clarification.I have gone through this bugid and but found  no workaround for this bug. Also sensor load is varying between 30-50 .

Please find the attached snapshot taken from GUI of IPS and its showing 99% CPU load.

Please suggest a solution to overcome this issue.

Attachment: 
Scott Fringer Wed, 05/05/2010 - 03:43
User Badges:
  • Cisco Employee,

Manohar;


  As I mentioned, the sole point of the CPU being at near 100% is not indicative of a problem with the sensor (as it is now expected with changes to the analysis engnie made with the E3 release).  Certainly since you indicated you are noting no packet loss, and the Inspection Load is fluctuating between 30 and 50, the sensor is functioning as expected.  From the release notes for the E3 engine:


The E3 signature engine  update contains changes from CSCsu77935

The resolution of this defect modified the idle time algorithm of the  sensor by applying additional CPU to polling of the NICs to decrease the  polling interval and reduce latency.  This results in the CPU usage  being reported higher than in previous releases, including using  external tools such as top and ps.

You can notice this additional CPU load on single-CPU platforms, as well  as the primary CPU of multi-core systems. Since the additional CPU load  that is reported while polling is actually available to process  packets, and reduces as inspection load goes up, it does not negatively  affect the overall throughput of the IPS.

The best indication of sensor load is shown under the Processing Load  Percentage section in the "show statistics  virtual-sensor" command output and on the IME Home Page.


  If you still feel there is a problem with your sensor, I would recommend opening a service request with TAC so further troubleshooting may be performed.


Scott

iswady.kamas Fri, 09/20/2013 - 02:03
User Badges:

Hi,


I also facing the same issue where my IPS cpu utilization heat up to 85% and sometimes goes over 95% especially during the peak hour. the IPS already upgraded to software version 7.0(4)E4. Is it any issue if we are running the IPS on this software version?

Rodolfo Navero Thu, 10/03/2013 - 06:49
User Badges:

Hi,

The high consumption of CPU is not of concern, since there is no drop packets.

I had the same problem after performing POC Cisco, we conclude that the high CPU consumption that relate to using this topology.



In my case several vlan ID used to separate traffic.

You to be aware that the Inpesion load, but this will be the parameter performace IPS.

Always remember that you must leave the IPS sensor always updated with the licenses and packages.

Actions

This Discussion