[j-nsp] RTPERF_CPU_THRESHOLD_EXCEEDED on SRX3600

[Phil Mayers]

All,

We've seen a constant, very infrequent background of these messages on 
our SRX 3600. This is apparently expected - brief spikes in load.

In the last few days, we've started to get these constantly.

The offered load in terms of bits/sec, pps, sessions/sec, concurrent 
sessions and other metrics hasn't changed - in fact it's dropped 
slightly as our term ends - but obviously something has.

Port mirroring of the interface facing the firewall along with netflow 
analysis of the upstream routers doesn't show any standout traffic, but 
the volume and diversity is so large that it could be a single thing 
that we can't see in "normal" metrics.

There's no particular config change - just the usual addition of hosts 
to/from groups.

Our reseller has given us no useful information on how to diagnose the 
cause of this sudden step change - just the usual useless "show chassis 
routing-engine", apparently failing to understand the distributed nature 
of the SRX.

What do people generally do to track even the most basic info about the 
source of this kind of thing? I'm thinking even an attribution to input 
interface and functional area (policy processing, appid, traffic 
forwarding, policy logging, etc.)

The volume of traffic makes a flow trace unworkable.

show security monitoring ... doesn't show much, except the CPU spikes - 
no session spike, no obvious issues.

Any ideas? Any way to attribute FPC CPU usage by functional area and 
time window?

Cheers,
Phil