[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] sun cpu sys time is very high
Big question...you said "The process using the most cpu is 'fw' (the checkpoint daemon)." Do you mean "fwd" or "fwm" or did you mean exactly what you typed with "fw?" Do you have any forgotten security servers running which could contribute to this? If "fw" is chewing up most of your CPU you have a problem...fw process could be spinning as a result of a process run from the command line. If "fwm" is chewing up most of your CPU I don't have a great answer...try a "fwstop; fwstart" and watch the new fwm process...does it consumer more CPU cycles as time advances? If "fwd" is chewing up most of your CPU don't be surprised. Get a copy of the "Porsche book" and start down the fun road of learning about Solaris performance tuning...there's more than I can comment on here without some sar data and time on the box to look around ;) Good luck. Chris -----Original Message----- From: Jonathan C. Detert [mailto:[email protected]] Sent: Monday, September 24, 2001 18.41 To: [email protected] Subject: [FW1] sun cpu sys time is very high Hello, I am running fw-1 sp1 on a single-cpu sun box. I am only packet filtering (i.e. not NAT, no VPN, no bandwidth shaping). The sun box is acting as a gateway for my DMZ and for the internet. My problem is that the cpu utilization seems too high, and it's not cuz of any 'user' processes. The typical cpu utilization breakdown is 55% for kernel, 0.6% for user, and the rest is idle. The process using the most cpu is 'fw' (the checkpoint daemon), with about 2% of the cpu. The reason this situation is a problem is that I want to start using floodgate. However, as soon as I install a 'bandwidth policy', fgd starts taking 40+ % of the cpu, and that leaves no idle time, which makes the load go thru the roof, which effectively makes the internet and the dmz inaccessible. So, why is the kernel taking so much of the cpu? Other fun facts are: - The load averages about .6 ; - no swapping is going on ; - the box is a 220r with one 450MHz UltraSparc II cpu, 1 GB RAM, and 3 active 100Mpbs ethernet nics. - the box is running disksuite v4.2 on solaris 2.6. All fs's are mirrored. - the internet bw is 18Mbps full duplex. My best guess is that disksuite takes a lot of kernel time. Any way to verify that without undoing disksuite? If the excessive kernel time is simply due to packet filtering, are there simple strategies you can use with the security policy that have drastic affects on performance? i.e. is there a right way and a really wrong way to implement the safe affect in security rules? -- Happy Landings, Jon Detert Unix System Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202 _______________________________________________ sunmanagers mailing list [email protected] http://www.sunmanagers.org/mailman/listinfo/sunmanagers ----- End forwarded message ----- -- Happy Landings, Jon Detert Unix System Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202 ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|