We are facing high cpu utilization issue in Cisco IPS 4255 running software Version 7.0(1)E3. We have checked in show tech and found 80.4% CPU is consumed by sensorApp. Also we have found no packet drops on the IPS interfaces.
Does anyone having any idea about this issue, I am attaching Show Tech from the device for reference.
The message you are seeing in the 'sh tech' output is likely releated to bug CSCta02342.
In general, since the release of the E3 analysis engine, there is a different queue processing algorithm that is implemented to efficiently process packet queues on the sensor. Simply monitoring CPU utilization is not effective since the sensor is now making more use of idle CPU time. You should instead monitor the Inspection Load of the sensor to understand how busy the sensor is. In your case, the load was:
Processing Load Percentage = 28
Also, as you are currently running IPS release 7.0(1)E3, you may want to consider upgrading to a release containing the E4 analysis engine as your sensor will no longer receive signature updates.
For further investigation of any concerns, it would be a good idea to open a service request to receive direct TAC assistance.
As I mentioned, the sole point of the CPU being at near 100% is not indicative of a problem with the sensor (as it is now expected with changes to the analysis engnie made with the E3 release). Certainly since you indicated you are noting no packet loss, and the Inspection Load is fluctuating between 30 and 50, the sensor is functioning as expected. From the release notes for the E3 engine:
The E3 signature engine update contains changes from CSCsu77935
The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
The best indication of sensor load is shown under the Processing Load Percentage section in the "show statistics virtual-sensor" command output and on the IME Home Page.
If you still feel there is a problem with your sensor, I would recommend opening a service request with TAC so further troubleshooting may be performed.
I also facing the same issue where my IPS cpu utilization heat up to 85% and sometimes goes over 95% especially during the peak hour. the IPS already upgraded to software version 7.0(4)E4. Is it any issue if we are running the IPS on this software version?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...