Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sonicwall TZ-180 100% CPU Usage

Posted on 2014-04-14
19
Medium Priority
?
3,651 Views
Last Modified: 2014-04-17
I have  6 TZ-180's that are still being used and they all started exhibiting strange behavior since last Thursday/Friday.

The CPU gets pegged at 100% and stays like that until it is power cycled.  They then will work fine for an undermined amount of time (a day in some cases, sometimes less) until they need to be power cycled again.

It is strange but out of our 15 Sonicwalls, it is only happening to the TZ-180's.  I know they are old and we are replacing them this week, but for it to happen to all of them is baffling.

I was able to get to the connections monitor on one of them while it was at 100% and the process that is causing  it seems to be called: tWebMainS which I believe is the https daemon.

Even though I won't need them by the end of the week, if somebody knows how to remedy this so we don't have to keep power cycling them, it would be a huge help.

Thanks.
0
Comment
Question by:rubendn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
  • +3
19 Comments
 

Expert Comment

by:csgonline
ID: 39999584
I am having he exact same issue on TZ150s and TZ180s.  The same service is what is causing it.  I am continuing to research, but if you find anything please post back.

Thank you
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39999606
What is the sonicos vertion on them.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39999619
I had the same problem on a TZ210W until two weeks ago. I activated additional logging categories in the Logs section and at least one of them pushed the Sonicwall past capacity locking it up. Mine was locking ever 24 to 48 hours for a month.

By unchecking some of the unnecessary items to log, the firewall is now stable.

Sonicwall support was not able to find it. I had to dig in and experiment with it. I also upgraded the firmware which they suggested.

Hope this helps!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:rubendn
ID: 39999704
They are all running Standard 3.9.1.5-53s which I believe is the latest available for those models.

I upgraded them over the weekend because before the upgrade they couldn't connect to the licensing server at Sonicwall and the nodes would be limited.

I don't know if it is something related to the OpenSSL bug but it is strange it started happening to all of them at the same time and the item is the https daemon.

csgonline: I will definitely post back if we figure out what the problem is before we replace them.

TG-TIS: I haven't changed anything on them recently so I don't think it would have to do with logging but I will take a look.
0
 
LVL 1

Author Comment

by:rubendn
ID: 39999718
Here are a couple of screenshots from one of the units:

Process Monitor
CPU Utilization
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39999744
That does not look like the problem I had.  When mine locked, I couldn't access it at all. You don't have that problem.  We don't use SSL so I can't comment on that. I would check the Pc's connected to it and see if one is infected. I don't recognize any of those processes. they may be custom to your network or app.
0
 
LVL 1

Author Comment

by:rubendn
ID: 40001449
I've started the process of replacing all the Sonicwalls but still haven't found a cause for the issue.

Restarted all of them about 12 hours ago after they all spiked again to 100% with the same https daemon process.

It is almost as if it is a designed bug to get you to upgrade.  Strange that all of them start freaking out at the same time but none of the other newer models are doing the same.
0
 

Expert Comment

by:csgonline
ID: 40001453
I agree 100% this seems like a designed bug as it seems like they are good for about 12-16 hours then they lock up.  I am in the process of replacing all of mine as well.
0
 
LVL 2

Accepted Solution

by:
Matty-CT earned 2000 total points
ID: 40002696
I've been battling this since last Friday as well. One of my SonicWall Pro 2040's was locking intermittently, as well as TZ170's of a number of my clients. However, not all of the SonicWalls which I manage were locking up. After scratching my head for days, I looked at all the firewall rules and noticed that some of these devices had HTTPS (WAN) remote management enabled! In fact, since Friday 4/11, all devices which were experiencing lockup all had HTTPS WAN management enabled. I just though of this today and have disabled the remote WAN management (good idea anyway) on all the affected UTMs. I hit upon this thread while researching my problem so I figured that I'd post my theory for you.

I suspect that even though the SonicWall UTMs are not susceptible to the Open SSL flaw, if the HTTPS remote management rule is enabled, the units are available to be browsed and scanned on port 443. I suspect that Heartbleed vulnerability scripts are scouring the 'net for 443 vulnerability and that these scans are overwhelming the web interface on the SonicWall UTMs. Go check you rules. I'll be interested to see if you had HTTPS WAN management enabled!

Matt
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40002705
I just checked both of my TZ210W units and those features are disabled on both.
0
 
LVL 1

Author Comment

by:rubendn
ID: 40002769
Matty-CT,
Yes, I've disabled it on one unit to see if that helps.  It has been about 21 hours and that one is still going good.  

I have the 5 others with it still enabled so if they lock up and the one doesn't then I'll disable it on all the others.

I had started a thread also on Spiceworks and that is what we were working towards.

Thanks for your help.  I'll update once I know.

Edit: Here is the thread on Spiceworks:

http://community.spiceworks.com/topic/476167-sonicwall-tz-180-100-cpu
0
 

Expert Comment

by:ggooden
ID: 40003045
I'm experiencing these issues on my Pro 3060 as well with HTTPS wan management enabled.  Can you confirm that disabling that has helped?



Gregory
0
 
LVL 1

Author Comment

by:rubendn
ID: 40003051
I can't completely confirm but I think it is leading in that direction.

The 1 unit where I disabled https wan management has been up without experiencing the 100% CPU issue for about 25 hours as of right now.

The other 5 units that had https wan management were up for between 15-20 hours each but all ended up going to 100%.  I have now restarted those and disabled https management.

I'll report back the results.
0
 
LVL 2

Expert Comment

by:Matty-CT
ID: 40004529
Since last Friday, I'd notice that traffic was dropping off or significantly slow. After a SonicWall 2040 reboot everything would return to normal for a while. Then, for no apparent reason, the SonicWall CPU monitor would show 100% utilization. During those periods, a ping to the LAN interface would vary from 400ms up to 3000ms or time out rather than the normal 1 to 3ms ping. It's been almost 24 hours now since I disabled the HTTPS WAN management rule and everything has been rock solid on the SonicWall, just as it has been for the past eight years, 24/7, prior to this strange event.

Early yesterday, I began researching replacement units for it. Fingers are crossed that this nails it. I'm not keen on dropping the cash for a NSA 2400 or similar if I don't have to do so. I'll save talk of pfsense, endian, and untangle for a different thread!

Matt
0
 

Expert Comment

by:csgonline
ID: 40004714
I am in the same boat.  Changing the Wan Management rule seems to have fixed my issue as I am past 24 hours.  Thank you everyone for the assistance.
0
 
LVL 1

Author Comment

by:rubendn
ID: 40005284
As of this point the original unit that I disabled https wan management about 36 hours ago has not locked up at all.

The other 5 units which I disabled wan management about 20-22 hours ago have also not locked up.

It seems the https wan management was the cause but I don't want to make a premature judgement.

I'll give it a little more time before closing the question.
0
 
LVL 2

Expert Comment

by:Matty-CT
ID: 40005342
Awesome. Yeah, hate to jump the gun on the issue either.
0
 
LVL 1

Author Comment

by:rubendn
ID: 40008010
I've accepted Matty-CT comment as the solution.

After disabling https wan management, none of the firewalls displayed the 100% cpu behavior again.
0
 

Expert Comment

by:ggooden
ID: 40008012
I can confirm my Pro 3060 has been very stable since disabling WAN management access.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question