05-04-2010 02:25 AM - edited 03-10-2019 04:58 AM
Hi,
We are facing high cpu utilization issue in Cisco IPS 4255 running software Version 7.0(1)E3. We have checked in show tech and found 80.4% CPU is consumed by sensorApp. Also we have found no packet drops on the IPS interfaces.
Does anyone having any idea about this issue, I am attaching Show Tech from the device for reference.
05-04-2010 02:40 AM
Seems to match bugID: CSCta02342
05-04-2010 06:25 AM
Hi Halijenn,
Thanks for the response. I have gone through this bugid but think this is not related to high CPU Utilization and is related to some sensorApp SignatureDB refcount integrity problem.
Please correct me if I am wrong.
05-04-2010 08:06 AM
Manohar;
The message you are seeing in the 'sh tech' output is likely releated to bug CSCta02342.
In general, since the release of the E3 analysis engine, there is a different queue processing algorithm that is implemented to efficiently process packet queues on the sensor. Simply monitoring CPU utilization is not effective since the sensor is now making more use of idle CPU time. You should instead monitor the Inspection Load of the sensor to understand how busy the sensor is. In your case, the load was:
Processing Load Percentage = 28
Also, as you are currently running IPS release 7.0(1)E3, you may want to consider upgrading to a release containing the E4 analysis engine as your sensor will no longer receive signature updates.
For further investigation of any concerns, it would be a good idea to open a service request to receive direct TAC assistance.
Scott
05-04-2010 11:09 PM
05-05-2010 03:43 AM
Manohar;
As I mentioned, the sole point of the CPU being at near 100% is not indicative of a problem with the sensor (as it is now expected with changes to the analysis engnie made with the E3 release). Certainly since you indicated you are noting no packet loss, and the Inspection Load is fluctuating between 30 and 50, the sensor is functioning as expected. From the release notes for the E3 engine:
The E3 signature engine update contains changes from CSCsu77935
The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
The best indication of sensor load is shown under the Processing Load Percentage section in the "show statistics virtual-sensor" command output and on the IME Home Page.
If you still feel there is a problem with your sensor, I would recommend opening a service request with TAC so further troubleshooting may be performed.
Scott
09-20-2013 02:03 AM
Hi,
I also facing the same issue where my IPS cpu utilization heat up to 85% and sometimes goes over 95% especially during the peak hour. the IPS already upgraded to software version 7.0(4)E4. Is it any issue if we are running the IPS on this software version?
10-03-2013 06:49 AM
Hi,
The high consumption of CPU is not of concern, since there is no drop packets.
I had the same problem after performing POC Cisco, we conclude that the high CPU consumption that relate to using this topology.
In my case several vlan ID used to separate traffic.
You to be aware that the Inpesion load, but this will be the parameter performace IPS.
Always remember that you must leave the IPS sensor always updated with the licenses and packages.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide