Solved

Sonicwall TZ-180 100% CPU Usage

Posted on 2014-04-14
19
3,138 Views
Last Modified: 2014-04-17
I have  6 TZ-180's that are still being used and they all started exhibiting strange behavior since last Thursday/Friday.

The CPU gets pegged at 100% and stays like that until it is power cycled.  They then will work fine for an undermined amount of time (a day in some cases, sometimes less) until they need to be power cycled again.

It is strange but out of our 15 Sonicwalls, it is only happening to the TZ-180's.  I know they are old and we are replacing them this week, but for it to happen to all of them is baffling.

I was able to get to the connections monitor on one of them while it was at 100% and the process that is causing  it seems to be called: tWebMainS which I believe is the https daemon.

Even though I won't need them by the end of the week, if somebody knows how to remedy this so we don't have to keep power cycling them, it would be a huge help.

Thanks.
0
Comment
Question by:rubendn
  • 7
  • 3
  • 3
  • +3
19 Comments
 

Expert Comment

by:csgonline
Comment Utility
I am having he exact same issue on TZ150s and TZ180s.  The same service is what is causing it.  I am continuing to research, but if you find anything please post back.

Thank you
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
What is the sonicos vertion on them.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
Comment Utility
I had the same problem on a TZ210W until two weeks ago. I activated additional logging categories in the Logs section and at least one of them pushed the Sonicwall past capacity locking it up. Mine was locking ever 24 to 48 hours for a month.

By unchecking some of the unnecessary items to log, the firewall is now stable.

Sonicwall support was not able to find it. I had to dig in and experiment with it. I also upgraded the firmware which they suggested.

Hope this helps!
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
They are all running Standard 3.9.1.5-53s which I believe is the latest available for those models.

I upgraded them over the weekend because before the upgrade they couldn't connect to the licensing server at Sonicwall and the nodes would be limited.

I don't know if it is something related to the OpenSSL bug but it is strange it started happening to all of them at the same time and the item is the https daemon.

csgonline: I will definitely post back if we figure out what the problem is before we replace them.

TG-TIS: I haven't changed anything on them recently so I don't think it would have to do with logging but I will take a look.
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
Here are a couple of screenshots from one of the units:

Process Monitor
CPU Utilization
0
 
LVL 25

Expert Comment

by:Tony Giangreco
Comment Utility
That does not look like the problem I had.  When mine locked, I couldn't access it at all. You don't have that problem.  We don't use SSL so I can't comment on that. I would check the Pc's connected to it and see if one is infected. I don't recognize any of those processes. they may be custom to your network or app.
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
I've started the process of replacing all the Sonicwalls but still haven't found a cause for the issue.

Restarted all of them about 12 hours ago after they all spiked again to 100% with the same https daemon process.

It is almost as if it is a designed bug to get you to upgrade.  Strange that all of them start freaking out at the same time but none of the other newer models are doing the same.
0
 

Expert Comment

by:csgonline
Comment Utility
I agree 100% this seems like a designed bug as it seems like they are good for about 12-16 hours then they lock up.  I am in the process of replacing all of mine as well.
0
 
LVL 2

Accepted Solution

by:
Matty-CT earned 500 total points
Comment Utility
I've been battling this since last Friday as well. One of my SonicWall Pro 2040's was locking intermittently, as well as TZ170's of a number of my clients. However, not all of the SonicWalls which I manage were locking up. After scratching my head for days, I looked at all the firewall rules and noticed that some of these devices had HTTPS (WAN) remote management enabled! In fact, since Friday 4/11, all devices which were experiencing lockup all had HTTPS WAN management enabled. I just though of this today and have disabled the remote WAN management (good idea anyway) on all the affected UTMs. I hit upon this thread while researching my problem so I figured that I'd post my theory for you.

I suspect that even though the SonicWall UTMs are not susceptible to the Open SSL flaw, if the HTTPS remote management rule is enabled, the units are available to be browsed and scanned on port 443. I suspect that Heartbleed vulnerability scripts are scouring the 'net for 443 vulnerability and that these scans are overwhelming the web interface on the SonicWall UTMs. Go check you rules. I'll be interested to see if you had HTTPS WAN management enabled!

Matt
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 25

Expert Comment

by:Tony Giangreco
Comment Utility
I just checked both of my TZ210W units and those features are disabled on both.
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
Matty-CT,
Yes, I've disabled it on one unit to see if that helps.  It has been about 21 hours and that one is still going good.  

I have the 5 others with it still enabled so if they lock up and the one doesn't then I'll disable it on all the others.

I had started a thread also on Spiceworks and that is what we were working towards.

Thanks for your help.  I'll update once I know.

Edit: Here is the thread on Spiceworks:

http://community.spiceworks.com/topic/476167-sonicwall-tz-180-100-cpu
0
 

Expert Comment

by:ggooden
Comment Utility
I'm experiencing these issues on my Pro 3060 as well with HTTPS wan management enabled.  Can you confirm that disabling that has helped?



Gregory
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
I can't completely confirm but I think it is leading in that direction.

The 1 unit where I disabled https wan management has been up without experiencing the 100% CPU issue for about 25 hours as of right now.

The other 5 units that had https wan management were up for between 15-20 hours each but all ended up going to 100%.  I have now restarted those and disabled https management.

I'll report back the results.
0
 
LVL 2

Expert Comment

by:Matty-CT
Comment Utility
Since last Friday, I'd notice that traffic was dropping off or significantly slow. After a SonicWall 2040 reboot everything would return to normal for a while. Then, for no apparent reason, the SonicWall CPU monitor would show 100% utilization. During those periods, a ping to the LAN interface would vary from 400ms up to 3000ms or time out rather than the normal 1 to 3ms ping. It's been almost 24 hours now since I disabled the HTTPS WAN management rule and everything has been rock solid on the SonicWall, just as it has been for the past eight years, 24/7, prior to this strange event.

Early yesterday, I began researching replacement units for it. Fingers are crossed that this nails it. I'm not keen on dropping the cash for a NSA 2400 or similar if I don't have to do so. I'll save talk of pfsense, endian, and untangle for a different thread!

Matt
0
 

Expert Comment

by:csgonline
Comment Utility
I am in the same boat.  Changing the Wan Management rule seems to have fixed my issue as I am past 24 hours.  Thank you everyone for the assistance.
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
As of this point the original unit that I disabled https wan management about 36 hours ago has not locked up at all.

The other 5 units which I disabled wan management about 20-22 hours ago have also not locked up.

It seems the https wan management was the cause but I don't want to make a premature judgement.

I'll give it a little more time before closing the question.
0
 
LVL 2

Expert Comment

by:Matty-CT
Comment Utility
Awesome. Yeah, hate to jump the gun on the issue either.
0
 
LVL 1

Author Comment

by:rubendn
Comment Utility
I've accepted Matty-CT comment as the solution.

After disabling https wan management, none of the firewalls displayed the 100% cpu behavior again.
0
 

Expert Comment

by:ggooden
Comment Utility
I can confirm my Pro 3060 has been very stable since disabling WAN management access.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now