Anda di halaman 1dari 2

Juniper Networks - How to run Packet Profiling on firewall to determine cause of High "FLOW" CPU (ScreenOS 6.

x) - Knowledge Base

12-2-16 4:39

Home > Support > KB Home

KB Home Rate this Page

Browse Knowledge Base Categories Subscribe

Printer Friendly

LOGGED IN: chenglong zhu My Account | Logout

How to run Packet Profiling on firewall to determine cause of High "FLOW" CPU (ScreenOS 6.x)
[KB11710] Show KB Properties ASK THE KB Question or KB ID: Ask

SUMMARY:
Symptoms: High Flow CPU on a firewall running ScreenOS 6.0.0r2 or higher - What is causing it? How do you run Packet Profiling? If the Flow CPU on a firewall is high and if the firewall is running ScreenOS 6.0.0r2 or higher, then profiling is an additional step to determine the cause. This article documents how to run profiling.

ARTICLE FEEDBACK *Selection Required *This article solved my problem Yes No Partially Just browsing *Please rate this article Great Good Average Fair Poor Comments?

PROBLEM OR GOAL:
What is the cause for High "FLOW" CPU Utilization? If you have not determined if the High CPU is due to Flow or Task, consult KB9453 - Troubleshooting High CPU on a firewall device before continuing. If the Flow CPU is high, perform the following, depending on the ScreenOS version: ScreenOS 5.4.0 or lower ----------------------------------------The Packet Profiling commands are not available in ScreenOS 5.x. Therefore, go to KB21722- What is causing High Flow CPU Utilization? (ScreenOS 5.x and later) to help identify the cause. ScreenOS 6.0.0r2 or higher ----------------------------------------Refer to the solution below to identify the cause.

SOLUTION:
ScreenOS 6.0.0r2 and higher has a new debugging feature called 'flow profiling' in order to help identify the source of traffic utilizing the CPU. Follow these steps: A. Run Packet Profiling to identify the type of packets that consume the CPU. 1. Enter the 'fprofile packet' commands. Enable, start, and stop the packet profiling: set fprofile packet enable set fprofile packet start By default, the profiling buffer is set to nowrap (unset fprofile packet wrap), so the packet profiling will auto stop when profiling buffer is full. If the fprofile is set to wrap, press ESC or set fprofile packet stop (to stop packet profiling) Display the output: get fprofile packet get fprofile packet ip get fprofile packet none-ip get fprofile packet ip proto In the 'get fprofile packet' output, the packets using up most of the CPU are at the top with the higher percentages. Look at the protocol, source, destination, source port, and dest port values to identify the culprits: Id 1 Type ip Protocol 0x01 Source 1.1.1.1 Destination 1.1.1.2 Sport 8 Dport 0 Time 563 Percentage 48.66%

Your response will be used to improve our document content. Submit

RELATED TOPICS Install Search Engine PlugIn Submit a Support Case KB Feedback

2. Repeat the entire step 1 three times and review the output. 3. Unset the flow profiling: unset fprofile packet enable If Steps 1 thru 3 in Section A do not give you the clue, then proceed to the next step. B. Capture debugs

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11710

Page 1 of 2

Juniper Networks - How to run Packet Profiling on firewall to determine cause of High "FLOW" CPU (ScreenOS 6.x) - Knowledge Base

12-2-16 4:39

Capture flow and tag debugs until the dbuffer fills up to 4Mb (normally it takes only a few seconds under heavy traffic to fill up the buffer). Note: Both the 'debug tag info' and 'debug flow basic' debug (run together) are most beneficial for analysis. set db size 4096 ##set debug buffer to 4 meg debug tag info ##enter this if ISG or NS5000 device debug flow basic ##use with CAUTION; may cause higher CPU, so run only a few seconds during the high CPU clear db ##clear debug buffer <wait a few seconds for buffer to fill up> undebug all ##to stop all debugs get db stream > tftp or get db stream ##to view the debug output unset db size ##to return the debug buffer to default size The packets displayed in the debug buffer are being processed by the CPU. Are there any patterns? If the packets in the buffer still do not give you the clue, then proceed to the next step. C. If the firewall is an ISG-1000, ISG-2000, or NS-5000 device, then run 'get sat' and 'get asic' commands The 'get sat' output is used to determine PPS (packets/sec) rates. The functionality of this command has been enhanced in ScreenOS 6.0.0r2 and greater; it calculates the PPS as such: get sat <asic #> demux-counters (get sat 0 d) If this command is issued for the first time or a long time after last execution, the last counter and PPS are NOT Applicable. Otherwise the PPS is calculated. For packets in the 'to-host' category, a break-down list is provided. get asic demux-counters (get asic d) If this command is issued for the first time or a long time after last execution, the last counter and PPS are NOT Applicable. Otherwise the PPS is calculated. The total PPS is shown for all chips CPU Traffic Analysis is displayed Here's an example of the output: NS5000> get asic d current (02/01/2007 23:49:36) 10062 3846 83 13991 32768 16384 4800 2468 2048 546 12168 Last (02/01/2007 23:39:36) 5062 1846 83 6991 16384 8192 2400 1234 1024 N/A 5984 pps (time diff is 10s) 500 200 0 700 1638 819 240 123 102 N/A 598

to_host: first_packet: no_ip_ether_net: total packet: clsf counters: fragment pak: icmp: to host traffic analysis: no route / l2 info: ASP: ALG: Handshake(syn-ack/ack) DMA required:

1. Enter the following commands during the high CPU period: a. Repeat 6 to 8 times: get sat 0 d <wait 10 sec> b. Repeat 6 to 8 times: get asic d <wait 10 sec> 2. If the firewall is a NS-5000 device, also enter the following command for each ASIC (1-5): Repeat 6 to 8 times: get sat <asic> d <wait 10 sec> NOTE: Remember to run step 2 for each ASIC.

D. If the cause of the High CPU is still not identified, go to KB21722 - What is causing High Flow CPU Utilization (ScreenOS 5.x and later), and follow the steps to collect additional data. Although the title of KB21722 is labeled ScreenOS 5.x, the commands in that article are supported in ScreenOS 6.x. KB21722 contains additional information that is needed when opening a case with JTAC.

PURPOSE:
Troubleshooting

RELATED LINKS:
KB9453 - Troubleshooting High CPU on a firewall device KB21722 - What is causing High Flow CPU Utilization? (ScreenOS 5.x and later)

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11710

Page 2 of 2

Anda mungkin juga menyukai