Header Only - DO NOT REMOVE - Extreme Networks

SecureStacks with High CPU Utilization after Firmware Upgrade

Userlevel 3
Article ID: 5790

SecureStack C2
Firmware 4.00.24 and higher
SecureStack B2
Firmware 3.01.16 and higher
SecureStack A2
Firmware 1.03.17 and higher

Upgraded firmware

High CPU utilization
'show system utilization cpu'
'show system utilization process'

Upgrading from an older (released prior to July 2006) to a newer firmware version and running the newer firmware version for the first time initiates the generation of SSL DiffieHellman keys for HTTPS management (Secure WebView) access - regardless of how the stack or unit is configured.

This low-priority background function is symptomized by very high CPU utilization, on the order of 98-100%. This should not degrade higher-priority switch functions. The key generation will take approximately 45 minutes to complete - depending upon what else the CPU is doing - after which the CPU utilization will drop back to normal levels.

Here is an example of the "high CPU utilization" symptom: A2(rw)->show ver

Copyright (c) 2005 by Enterasys Networks, Inc.

Model Serial # Versions
-------------- ----------------- -------------------

A2H124-24 05491788900B Hw:BCM5650 REV 33
BuFw:No Backup Image

A2(rw)->show system utilization cpu
Total CPU Utilization:

Switch CPU 5 sec 1 min 5 min
1 1 98% 99% 99%

The 'show system utilization process' command (5894) will provide further detail. A2(rw)->show system utilization process

Switch:1 CPU:1

TID Name 5Sec 1Min 5Min
. . .
a25b2e8 ssltDHCreate 97.40% 96.85% 70.22%
. . .
The functional changeover point is as of C2 f/w 4.00.24, B2 f/w 3.01.16, and A2 f/w 1.03.17. Release notes cite the reason for the change, in the 'Firmware Changes and Enhancements' section:
The command "set webview enable ssl-only" has been added to the list of command options. When the "set webview enable ssl-only" command is enabled in conjunction with the "set ssl enable" command, the user will only be allowed to access WebView using HTTPS (SSL - TCP port 443), HTTP (TCP port 80) will be disabled for WebView access. If the command "set ssl enable" is configured in conjunction with "set webview disable ssl-only" (the default setting), then WebView will be accessible by either HTTPS or HTTP.

FAD (Functions as Designed)

The described process will only occur once, and it should be functionally non-disruptive during the 45 minutes that it is running.

0 replies

Be the first to reply!