How to fix NSA 3600 high cpu usage when it has FQDN address objects??
Various Office 365 IPs, networks and FQDNs were loaded as address objects and organized into an address group.
This was 200-some new address objects, some were wildcard FQDNs.
After that, bandwidth went to half of what it should be and high Core 0 cpu usage was observed.
Sonicwall tech support blames the presence of all the FQDN address objects.
Taking them out did fix things but this is not an acceptable solution.
Why does this happen and how to fix this problem?? -- the 3600 and similar devices should not be spending all their time calculating fqdns...
We have been on SonicOS Enhanced 6.5.4.5-53n for a long time because of other issues involved with upgrading firmware, do any firmware updates fix this problem??
Thank you, Tom
Answers
@tommls
Could you set the below steps.
1- maximum of the TTL values of FQDN addresses (86400s)
2- Use Local dns server instead of behind wan zone dns servers. (set the manuel dns settings under "Log/Name Resolution/Name Resolution Method to DNS then netbios (if you are using local pc resolution on logs and other sections.) and set the manuel dns settings for local dns ip.
3- Set the Control Plane flood Protection to %80 or %90 under "Firewall Settings/Advanced Settings/Control Plane Flood Protection/Enable Control Plane Flood Protection" check box.
@tommls
Upgrade your Sonic OS to latest general release and observe the cpu usage.
@MitatOnge
Thank you for these suggestions, my comments/questions are:
#1 is it possible to set TTL on fqdn address objects with the CLI?? I ask because there's so many fqdns, I can try adding TTL 86400 to the command line
I found this but no code examples:
Syntax dns-ttl Mode FQDN Address Object Description Manually set DNS entries' TTL. Options Integer in the form: D OR 0xHHHH. Example: 123 Example dns-ttl 120
#1 What is Sonicwall's default TTL value for fqdn address objects?? (the TTL value for all fqdns is presently blank)
#2 we have always had the main Network/DNS section set to local DNS (two domain controllers plus 1.1.1.1, it looks like 172.16.x.x, 172.16.x.x, 1.1.1.1), I configured the the Log/name resolution method setting to dns then netbios in and the same IPs shown here, clicked accept
#3 I researched Control Plane, it's not enabled, the default is 75, does this mean the amount of traffic/usage of Core 0 is limited to 80%??
I'm wanting to be careful about all this because what happened after installing the O365 address objects, particularly the FQDNs (wildcard and non-wildcard) is that all our Internet slowed down drastically and even keystrokes and mouse movements were not processing properly....so I don't want this happening again.
Note: updating firmware is something I can not just do, we have had some Citrix problems after updating firmware, though I will try it after I take backups of the current configuration.
Thank you, Tom
Clarification: Regarding Control Plane, does this cap traffic/usage on Core0?? What negative effects could happen by setting this Control Plane value??
Also, must these settings be configured within all Sonicwalls containing all these 200-some fqdns?? We have 50+ Sonicwalls in a hub and spoke setup with our NSA 3600 as the hub.
Thank you, Tom
@tommls
Core 0 is responsible "App Flow, DHCP Server, IPSEC, Log Managament, FireWall GUI, etc.."
#1 Syntax dns-ttl Mode FQDN Address Object Description Manually set DNS entries' TTL. Options Integer in the form: D OR 0xHHHH. Example: 123 Example dns-ttl 120
Sonicwall has min TTL 120seconds max TTL 86400seconds
#2 What is Sonicwall's default TTL value for fqdn address objects?? (the TTL value for all fqdns is presently blank)
Default TTL comes from DNS server. if dns settings has lower ttl your firewall send new dns query to DNS server for FQDN addresses. I havee checked office365.com default TTL is 5minutes. I think set high TTL time manualy.
#3 I researched Control Plane, it's not enabled, the default is 75, does this mean the amount of traffic/usage of Core 0 is limited to 80%??
If Core0 reached limit, Control Plane will drop the some services. as you said you have lots of vpn tunnel. be carefull!
check below links