SecureStacks with High CPU Utilization after Firmware Upgrade

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 5790 

Products
SecureStack C2
Firmware 4.00.24 and higher
SecureStack B2
Firmware 3.01.16 and higher
SecureStack A2
Firmware 1.03.17 and higher 

Changes
Upgraded firmware 

Symptoms
High CPU utilization
'show system utilization cpu'
'show system utilization process'
"ssltDHCreate" 

Cause
Upgrading from an older (released prior to July 2006) to a newer firmware version and running the newer firmware version for the first time initiates the generation of SSL DiffieHellman keys for HTTPS management (Secure WebView) access - regardless of how the stack or unit is configured. 

This low-priority background function is symptomized by very high CPU utilization, on the order of 98-100%. This should not degrade higher-priority switch functions. The key generation will take approximately 45 minutes to complete - depending upon what else the CPU is doing - after which the CPU utilization will drop back to normal levels. 

Here is an example of the "high CPU utilization" symptom:
 A2(rw)->show ver

Copyright (c) 2005 by Enterasys Networks, Inc.

Model Serial # Versions
-------------- ----------------- -------------------

A2H124-24 05491788900B Hw:BCM5650 REV 33
Bp:01.00.40
Fw:01.03.17
BuFw:No Backup Image

A2(rw)->show system utilization cpu
Total CPU Utilization:

Switch CPU 5 sec 1 min 5 min
-------------------------------------------------
1 1 98% 99% 99%

A2(rw)->

The 'show system utilization process' command (5894) will provide further detail.
 A2(rw)->show system utilization process

Switch:1 CPU:1

TID Name 5Sec 1Min 5Min
----------------------------------------------------------
. . .
a25b2e8 ssltDHCreate 97.40% 96.85% 70.22%
. . .
A2(rw)->

The functional changeover point is as of C2 f/w 4.00.24, B2 f/w 3.01.16, and A2 f/w 1.03.17. Release notes cite the reason for the change, in the 'Firmware Changes and Enhancements' section:
The command "set webview enable ssl-only" has been added to the list of command options. When the "set webview enable ssl-only" command is enabled in conjunction with the "set ssl enable" command, the user will only be allowed to access WebView using HTTPS (SSL - TCP port 443), HTTP (TCP port 80) will be disabled for WebView access. If the command "set ssl enable" is configured in conjunction with "set webview disable ssl-only" (the default setting), then WebView will be accessible by either HTTPS or HTTP.

Solution
FAD (Functions as Designed) 

The described process will only occur once, and it should be functionally non-disruptive during the 45 minutes that it is running.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.