High Dataplane CPU Caused From "too small" or "too large" Packets For Content Inspection
39122
Created On 04/29/19 16:43 PM - Last Modified 05/02/19 22:02 PM
Symptom
High dataplane CPU caused due to abnormal increase in "too small" or "too large" packets for content inspection.
The below global counters seem to increase with a corresponding rise in DP CPU usage:
aho_sw_min_threshold
aho_sw_max_threshold
dfa_sw_min_threshold
dfa_sw_max_threshold
Environment
Palo Alto Networks firewall with App-ID and Content Inspection
Cause
On platforms that have the content matching FPGA, the AHO and DFA content inspection algorithms are offloaded by default. There is a Minimum and Maximum threshold set for packets to be sent by dataplane to the FPGA for inspections.
If the packet size falls outside of Minimum and Maximum thresholds, these packets are processed in the dataplane, which result in increased dataplane utilization.
The limits are as depicted in the output of "debug dataplane fpga state" command.
> debug dataplane fpga state
DP dp0:
aho offload setup
Use offload
Minimum Threshold for using offload: 32 bytes
Maximum Threshold for using offload: 9900 bytes
Max. outstanding request to offloading: 1024
Current outstanding request to offloading: 0
---SKIP ---
dfa offload setup
Use offload
Minimum Threshold for using offload: 48 bytes
Maximum Threshold for using offload: 9900 bytes
Max. outstanding request to offloading: 1024
Current outstanding request to offloading: 0
For AHO :
Minimum Threshold : 32 bytes
Maximum Threshold : 9900 bytes
Global counters:
• aho_sw_min_threshold - Usage of software AHO caused by packet length min threshold • aho_sw_max_threshold - Usage of software AHO caused by packet length max threshold
For DFA :
Minimum Threshold : 48 bytes
Maximum Threshold : 9900 bytes
Global counters:
• dfa_sw_min_threshold - Usage of software dfa caused by packet length min threshold • dfa_sw_max_threshold - Usage of software dfa caused by packet length max threshold
An abnormal increase in the number of packets observed for the above counters may cause the dataplane CPU to go high.
Resolution
With an abnormal increase in "too small" and "too large" packets, a spike in the dataplane CPU is expected. It is recommended to do a comparison of the below counters with the baseline during normal CPU conditions:
• aho_sw_min_threshold - Usage of software AHO caused by packet length min threshold
• aho_sw_min_threshold - Usage of software AHO caused by packet length max threshold
• dfa_sw_min_threshold - Usage of software dfa caused by packet length min threshold
• dfa_sw_max_threshold - Usage of software dfa caused by packet length max threshold
Additional Information
Here is how to check if a device has content matching FPGA:
> debug dataplane fpga state no offload for aho no offload for dfa
The above output indicates that, there is no content matching FPGA:
> debug dataplane fpga state
DP dp0:
aho offload setup
Use offload
Minimum Threshold for using offload: 32 bytes
Maximum Threshold for using offload: 9900 bytes
Max. outstanding request to offloading: 1024
Current outstanding request to offloading: 0
---SKIP ---
dfa offload setup
Use offload
Minimum Threshold for using offload: 48 bytes
Maximum Threshold for using offload: 9900 bytes
Max. outstanding request to offloading: 1024
Current outstanding request to offloading: 0
The above indicates that the content matching FPGA is available.
**Here are the platforms that have the content matching FPGA: PA-3000,PA-3200,PA-5000,PA-5200,PA-7000.
**Here are the platforms that do not have the content matching FPGA: PA-200,PA-220,PA-500,PA-800.