Intrusion Prevention

  • 1.  IDP 75 high on CPU

    Posted 06-25-2009 04:58

    Hi

     

    My IDP 75 probe is constantly running on 100% CPU utalisation after 4.1 to 5.0 upgrade.

    The idpengine process is around 85-90% CPU all the time.

    It seems to be independent on which policy is installed or if the Profiler is enabled or not.

     

    Has anyone seen this before?

     

     

    /Nils 

     

    [root@coromant ~]# top

    top - 13:45:34 up 6 days, 22:53,  1 user,  load average: 3.22, 3.29, 3.27
    Tasks:  76 total,   4 running,  72 sleeping,   0 stopped,   0 zombie
    Cpu(s): 92.3%us,  7.7%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
    Mem:    764592k total,   610188k used,   154404k free,   163444k buffers
    Swap:  2104504k total,     8120k used,  2096384k free,   188072k cached

      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                               
    15889 root      10 -10  580m 256m 134m R 90.0 34.4   2359:49 idpengine                                                             
    25999 root      20   0 12596 1044  804 R  0.7  0.1   0:00.04 top                                                                   
        1 root      20   0 10336  632  540 S  0.0  0.1   0:03.08 init                                                                  
        2 root      15  -5     0    0    0 S  0.0  0.0   0:00.00 kthreadd    

     

     



  • 2.  RE: IDP 75 high on CPU

    Posted 06-25-2009 14:19

    What is your policy ?

    I'm assuming that by unloading the policy, the IDP CPU is back to normal.

     

    If you are working with Juniper TAC, can you send me an private mesage with the case number.


    Thanks,
    Chandra

     



  • 3.  RE: IDP 75 high on CPU

    Posted 06-25-2009 23:41

    I hadn't tried with 'Security Policy: none' yesterday. When I did, it showed up that it isn't possible to do that as the 'Update Device' operation fails when I try:

     

     

     Error Code:

    Error Text:
       Failed to update device: No IDP Rules were pushed to the device.


    Error Details:
        No Details Available.

    Logs:
    There is no Firewall policy currently assigned to this device.
    There is no Multicast policy currently assigned to this device.
    There is no IDP policy currently assigned to this device.

     

     Pushing any policy except 'none' works. I also tried the same thing with an IDP 8200, also at V5.0, with the same result.

     

    I will ask our reseller to open a TAC case on this, can't do that myself.

     

    Regards,

     

    /Nils.

     



  • 4.  RE: IDP 75 high on CPU

    Posted 07-01-2009 06:18

    Hi Nils,

    this is normal for the way 5.0 architecture is implemented.

     

    It does NOT mean that your IDP is running out of capacity 🙂

     

    We introduced a new command to check the real CPU utilization from CLI:

     

    scio idp-cpu-utilization

     

    Check this KB for details:

    http://kb.juniper.net/KB13692

     

     

     



  • 5.  RE: IDP 75 high on CPU

    Posted 07-01-2009 08:43

    Hi,

     

    That sounds strange to me and creates some follow-up questions:

     

     

    What makes traditional tools like 'top' to completely misjudge the cpu utlisation in V5.0?

     

    What the difference between top and 'scio idp-cpu-utilization' conception of cpu utilisation?

     

    Why do not my 8200:s show the same behaviour? They stay on low CPU w. V5.0.

     

     

    Thanks,

     

    /Nils



  • 6.  RE: IDP 75 high on CPU

    Posted 07-02-2009 04:30

    Hi Nils,

    this is because for better performaces for some IDP platforms we use NAPI interface.

    You can find more info on Wikipedia:

    http://en.wikipedia.org/wiki/New_API

     

    Because of that, the idpengine process is always looping waiting for new packets to arrive.

    The "top"output is correct: idpengne is using all the CPU available.

    But when packets are received the idpengine takes and process them 🙂

     

    "scio idp-cpu-utilization" uses a more accourate system to calculate how really idpengine is busy....

     

    Hope this helps!

     

    Ciao

    Daniele



  • 7.  RE: IDP 75 high on CPU
    Best Answer

    Posted 07-02-2009 04:39

    Ok, then I understand a little more.

     

    Thank you,

     

    /Nils