Operational Defect Database
BugZero found this defect 502 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000Bc3fSAC
Elevated CPU utilization on Firebox with TPM chip and cannot manage with WSM or Fireware Web UI
Last update date:
1/4/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.0.x
12.1.x
12.1
12.1.1
12.1.3
12.10.x
12.2.x
12.3.x
12.4.x
Fixed releases:
All
Description:
Issue
Frequently retrieving the Status Report on Fireboxes with a TPM chip** might cause elevated CPU utilization that is much higher than normal operating load.**Firebox T10, T30, T50, T70, M200, M300, M400, M500, M440, M4600, and M5600 models do not have a TPM chip.Symptoms include: Inability to manage the Firebox with WSM or Fireware Web UIElevated CPU utilization shown by the show sysinfo CLI commandElevated CPU utilization shown by SNMP data Possible methods to retrieve the Status Report: USB drive plugged in to the Firebox. To verify, run the show usb CLI command. In Firebox System Manager (FSM), select the Status Report tab. Automated scripts that run the show status-report command. If you see abnormal CPU utilization but can still connect to the device with WSM or Fireware Web UI and retrieve the Status Report, check the Process List for numerous systemd processes with elevated CPU utilization. For example: PIDST %CPU VSS RSS SHARED STARTED TIME COMMAND14574 99.1 0.1 91364 4560 ? R< 18:37 11:29 /usr/bin/systemd14575 99.1 0.1 91364 4560 ? R< 18:37 11:22 /usr/bin/systemd14663 84.3 0.1 91364 4668 ? R< 18:48 0:21 /usr/bin/systemd14664 82.7 0.1 91364 4668 ? R< 18:48 0:14 /usr/bin/systemd17775 0.0 0.3 91364 14192 ? S<sl Nov03 0:55 /usr/bin/systemd18072 99.8 0.1 91364 4420 ? R< Nov03 17052:40 /usr/bin/systemd
Workaround/Solution
Disable Status Report retrieval and use the reboot CLI command to reboot the Firebox.To use the CLI, you must first establish a CLI connection to the Firebox. You can connect to the CLI with a command line program such as Putty or TeraTerm. You can also use a null modem serial cable to connect to the CLI. The default WatchGuard policy allows you to connect to and manage a Firebox from any computer on a trusted or optional network on port 4118, as described below. For this procedure, you must have a terminal client that supports SSH2 and you must know the IP address of a Firebox trusted or optional interface.To connect to the CLI: Open your terminal application and open a new connection window.Verify the terminal is set to VT100.Verify your connection parameters are set to: Host: The IP address of the Firebox trusted or optional interfaceTCP Port: 4118Service: SSH (version SSH2)Protocol: IPv4 Press Enter.Type the admin or status account name, and the password.
