Cisco ips 4270 unequal cpu utilization

I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
whether we can do a distribution of CPU among the four CPU's.?
Hey cisco folks, please help.

This was mentioned in a previous post, specifically the reply by Scott Fringer. Post here:
https://supportforums.cisco.com/message/3065777#3065777
In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
The E3 signature engine update contains changes from CSCsu77935
The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
So, what you are seeing should be considered normal, and doesn't need correction. That is, unless you are seeing packet loss.

Similar Messages

Cisco ips 4270 cpu 100% utilization...

hi folks i have cisco ips 4270 version 7.0(2) E3 when i try to access it through IDM its show the cpu utilization of cpu1=100% and cpu4=100% but cpu1 and cpu2 are varying can any one please tell me what will be the solution of this problem...
when i try to go to the configuration then its give me the attached error..........document attached please check....

Hi,
Having 100% on some of your CPU is normal on the IPS platform.
The device is using it's idle cycles to prepare for the handling of the incoming packets and to reduce the delay it will introduce on their path so it is expected to get this even when under low load.
If you want to have a better idea of the capacity % of your IPS you are currently using, you should have a look at the Inspection Load value. Looking at the data you provided, you are around 25% at the moment.
For the rdep timeout message, it seems to be a software issue. Looking closer at the picture you attached, we also see "Analysis Engine Status: Not Responding".
It is a bit difficult to troubleshoot those on CSC so I would advise you to open a TAC case if you want to know the exact root cause.
What I would advise is to upgrade to the latest 7(0) code which is I believe 7.0(5a)E4 since the issue is most then likely fixed in this version.
If you are looking for a quick fix, a reboot of the IPS should clear this but the problem will most then likely come back later.
Regards,
Nicolas

CISCO IPS 4270 rebooting again and again

Dear Experts,
We are facing problem where Cisco IPS 4270 is keep rebooting, attached are the logs.
after entering username and password it again goes into restart cycle
Appreciate your help
Muhammad Nasim

You should try reimageing you sensor. If that doesn't;t fix this issue, you need to RMA the unit to Cisco.
Cisco might just let you RMA the unit as is if you have a contract, but bringing it is faster.
- Bob

IPS 4270 with 6509 VSS in Promiscous mode

Dear all,
I am trying to figure out how to configure 2x IPS 4270 in promiscous mode with Cisco 6509 VSS:
I have attached the LLD core datacenter design including the IPS physical placement in my network.
The following points are my concerns in this design:
Shall I connect each of the IPS 4270's into VSS Chassis A and B, or I keep each IPS connected to different Chassis? (considering the SPAN port configuration on VSS and if I could encounted Asymmetric routing issue or not).
Can I use Etherchannel in either case (keep in mind it's promiscous mode), that means the destination interface on the VSS will be an Etherchannel interface, but does the Cisco IPS 4270 support Etherchannel while in promiscous mode?
I really appreciate your input on this matter guys.
Cheers
Mohammed Khair

Hi,
1.You can Connect the each IPS into Chasis A and B That is Not aproblem .But While Configuring the RSPAN Monitor From A to B and B to A should monitor the both vlans ( i mean RSAPN A and B also vice versa in your config then it will give both out put even connectivity between IPs and chasisi one fails also)
2.IPS Supports the Etherchannel while in promiscous mode as well.

Cisco IPS make slow copy between linux server

we have 3 subnet A, B, C . Each subnet have some linux servers. Subnet C is protected by cisco IPS 4270.
1)If we config IPS to bypass traffice, copy speed between servers around 10MB/s -> 25MB/s.
2) IF IPS protect subnetC.
When we copy file from a serrver of SubnetC to subnet A or B, copy speed increase from min to around 20MB/s.
And when we copy file from a serrver of SubnetA or B to subnet C, copy speed very slow around 700kB/s-> 2MB/s
The server used command "scp .... "
So we think there are signatures we should tuning. we have CSM but we havent seen any relate events about this problem.
Help me check this problem!

Hello,
You can do what Jon mentioned, you might see a signature being triggered when Host C takes place but if by any chance you do not then create captures for both traffic flows (With C and Without C).
Afterwards compare
You might find some weird in that TCP session that involes C (packet loss, then retransmissions, ooo packets, etc).
Make sure you correlate all of the information
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com

CISCO IPS 4260 CPU USAGE 99%

Hi guys
I'm detecting something unusual on my CISCO IPS 4260. This device have 2 CPU's but only in one cpu is showing 99% of use, and the inspection load varies from 40 to 50, and sometimes 80, here's a screenshot of what I'm talking about.
Where can I start to troubleshoot why is showing this values.?
Regards.

do you think is normal that the IPS signature with more hits is de SIGID 5575 (NBT NetBIOS Session Service Failed Login?
After doing some research it seems to be normal for a windows enviroment.
Here is the information I got
Description
When a client connects to a SMB server (WinNT, Win95, Samba, etc..) a TCP connection to port 139 is established. The client then provides the server with its NetBIOS name and the NetBIOS name it wishes to connect to. If the name does not exist on the server, the session setup attempt fails and an error message is sent to the client. This could be an indicator of an attack.
Recommended Filter
Exclude internal networks as sources.
Benign Triggers
The default alarm level for this is low because this happens during normal network activity within a Windows network. As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system.
As you can see you could excluded to stop triggering that, this is an informational signature
Regards,
Remember to rate all of the helpful posts

Cisco PI 2.1 can't generate CPU utilization report

Hi Expert,
I just want to generate a CPU utilization report for my test router, I follow cisco offical documents step by step.
But unlucky, there's no result be display when I finished run the report.
Can anyone come cross this issue? Please help me to solve this issue.
The config detail please refer to attachment (Pic1, 2, 3)
Thanks in advance,
The PI display this error:
No data matches the specified criteria for the report
make user that the following background tasks are running:
1.controller performace
2.switch CPU and Memory Poll
BR
Frank

It's a VM.
I chose the Express-Plus profile even though I could technically have used the Express profile for what they're managing. I always try to err on the side of more resources when building a management system. Getting a customer to adapt their workflow to properly leverage a NMS is hard enough without it also being a drag to use due to system sluggishness.
We're also running it on a nice new shiny data center - UCS B240 series blade with fast storage on Netapp SAS disks and connected directly to the 7010 core (via the Fabric Interconnect of course).

IOS IPS CPU Utilization

Hi,
I'm hoping that I can ask a question here about the IPS function built into the AdvSec versions of IOS?
I have experimented with implementing the default signature set on 3845's (12.4 mainline, 1GB dram) - and it works well; but the CPU utilization jumps from around 10% to ~30% - without any other changes.
Is this much of a jump to be expected? And, is there any "tuning" that can be done to bring it down significantly?
Thanks, Nick

Nick;
This is normal and can be tuned (i.e disable sigs for any protocols not in use). I would suggest using the 256MB signature definition file, as that is what I am using and it doesn't add much more overhead than builtin sigs. I have one 2811 in particular feeding 2 T1s w/ MLPPP and taking advantage of the Firewall & IPS features. These 2 features alone only added around 13% extra CPU utilization on this small box.

How to capture CISCO Switches / Routers CPU Utilization in MRTG

Hi,
I’m using CISCO Switches / Routers and wanted to capture the CPU Utilization of those devices in MRTG. Can anyone help me to get step by step information. Please.!

Thanks Vinod..!
I already have MRTG installed and monitoring link bandwidth utilization. Now, Wanted to capture the CPU utilization for those devices. Can i know the configuration detail needs to be applied in MRTG / Routers or Switches.
Provided URL don't have much detailed configuration needs to be done at both the side (MRTG / CISCO Devices). Please.
Thanks,
Tamil

CISCO 2941-DC router, acceptable CPU utilization percentage

What is the maximum acceptable CPU Utilization percentage for a CISCO MWR 2941-DC router that is not prone to errors?

There is no specific percent given for CPU utilization that is not prone to errors.

Cisco IPS Concurrent session support in ips 4260 and 4270 sensor

I am wondring that no document from Cisco IPS data sheets mention the concurrent session support in Cisco IPS 4200 series sensor. I am looking forward to any one who can advise about the subject.
Thanks
Nouman

Hi.
with IPS devices it's difficult to measure performance by # of connections per second since several factors count to the performance limit, including:
1- packet size.
2- object sizes per transaction
3- transactions per second
4- signatures enabled
5- features enabled
that why public documents try to make it more realistic by mentioning the transactional performance.
here is a link mentioning concurrent connections for 4270:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
although the link mentiones 100k and 200k, but we've seen situations where we had a lot more connections with a smaller amount of signatures enabled.
for the 4260 the public document only mentions the transactional performance.
Regards,
Fadi.
If this answers your question please mark the thread as resolved.

IPS 4270-20, ver 7.1.(4)E4 - CPU 100% on 3 CPUs

Hi,
We have uprade our IPS 4270-20 appliances (10) to new version of 7.1.(4)E4, after upgrade we see that out of 4 CPUs, 3 CPUs shows are 100% (CPU 1, 3,4).
However when we check the inspection load its less than 40-50%. Looks like this may be a bug but its so far not even seen in the bug tool.
We upgraded from 7.0.4(E4) and we can't downgrade now and only option is to reimage all the 10 IPS appliances phsically on all the sites which will be disaster.
Is there's a patch available for this or is there a workaround, if nothing is available, should we open the TAC case..?
Appreciate if someone can advise us.
thanks

This is normal. The correct measure of load is inspection-load. The CPUs being shown at 100% is becuase the threads are continously polling for new data packets.
Regards,
Sawan Gupta

High CPU Utilization on Cisco SGE-2000

Dear Experts,
We are using Two Cisco SGE-2000 in our network. but we are facing CPU utilization very high upto 95 to 98 percent.
we are unable to see in details why it's happend like in cisco RTR or Catalyst " sh proc cpu" there is see in details by which service it going high so then we can identity very easly but in Cisco L3 SGe-2000 only showing Percent not in details. so how can i find out.
We are getting on SGE-2000 this type of errors "2147480831 2012-Jul-06 13:14:45 Warning %IPFFT-W-SFFTREDYELLOW: IP SFFT"
how can solve this and why it's happend.
Please anyone help me for the same , i appreciate for this.
Thanks in ADV,

D/Tom,
Thanks for your reply . you are right there is more than 400 users connected with this SW so how can i resolve this issue.
one more think should i go with this SW when connected more than 400 users and also we have configured with Static route and we have facing CPU utilization very high continue 90 to 99 percent. and how can i show in details which service is taking high percent of CPU utilization cause i am not able to show in details in this SW only percentage are showing.
This SW is reliable at this level ?? or not and i want to know how many BW perfonance capacity of this SW currentely we are using 100 mb P2P.
one SW at our CO (SGE-2000) with 150 users and conneted 100 mb P2P with same SGE-2000 at our HO with more than 400 usrs.
there is no any issue at our CO with the same SW.
Thanks once again!!!

High CPU utilization in cisco 6509E

I am facing a issue with CISCO 6509E switch with high CPU utilization. it reaches to 65%-70% which usually reaches 20 to 30%.

Hi
Your High CPU is due to interrupts, see 65% alone due to interrupts out of 89%.
Also, see last 72 hours CPU history, CPU always between 50-70%.
7667565564544456465655555555544555455445456566765655555455955555568667
0632835054379725938088655171198331612347960635027367553873051450118873
100
90 * *
80 * *
70 ** * * * ** * ****
60 ******* * * ******** * * ************* * ** * *****
50 ********* *************************** *******************************
40 ###**************************************************************#####
30 ######***********################**#*****##############***############
20 ######################################################################
10 ######################################################################
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Here's very good guide to troubleshoot the High CPU Utilization Due to Interrupts
Troubleshooting High CPU Utilization Due to Interrupts
http://www.cisco.com/c/en/us/support/docs/routers/7500-series-routers/41120-highcpu-interrupts.html
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information

ASA 5545 NIPS CPU utilization 100%

Hi,
We are having two pair of NIPS SSP and working in Active and standby mode.
All four Devices (ASA 5545 and ASA 5525 SSP IPS) showing CPU utilization 100% on both active and standby devices.
Memory usage is also showing very highly utilized.
Kindly help me resovle this issue.
Regards,
Dheeraj

Hi Dheeraj,
I don't think this is an issue. CPU 100% utilization is reported on every IPS (appliance or ASA software module) and it should be normal.
If you want to see if your device is getting more traffic than it can process, you should look at inspection load.
I hope this will help and it would be nice if someone from Cisco team could reply to this.

Cisco ips 4270 unequal cpu utilization

Similar Messages

Maybe you are looking for