CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of Check Point.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 9 of 9

Thread: pep becomes unresponsive

  1. #1
    Join Date
    2009-12-11
    Posts
    16
    Rep Power
    0

    Default pep becomes unresponsive

    Hi All,

    Anyone come across where a VS FW pep daemon becomes unresponsive over time? Each time this happens the FW says the pep dameon not running even though it was running earlier. We then have to reboot the active node to get pep running on the VS. The other VSs on the same nodes seem fine with the pep. We are running R77.10.

    Any help or insights are appreciated.

    Thanks,

    Bill

  2. #2
    Join Date
    2006-03-21
    Posts
    41
    Rep Power
    0

    Default Re: pep becomes unresponsive

    Quote Originally Posted by bingdude View Post
    Hi All,
    Any help or insights are appreciated.
    Hi Bill,

    Any relevant log in the PEP log file? Start having a look at $FWDIR/log/pepd.elg

    Regards

    Ed

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: pep becomes unresponsive

    Sounds like a good start. Maybe also ps aux | grep pep before and after. Check mem usage. also see if there is anything in dmesg and /var/log/dump/usermode.

  4. #4
    Join Date
    2009-12-11
    Posts
    16
    Rep Power
    0

    Default Re: pep becomes unresponsive

    Thanks for the suggestions. Looks like we got some stuff in the /var/log/dump/usermode/ folder with pepd in it. I'll also cross reference with pepd.elg files.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: pep becomes unresponsive

    Quote Originally Posted by bingdude View Post
    Thanks for the suggestions. Looks like we got some stuff in the /var/log/dump/usermode/ folder with pepd in it. I'll also cross reference with pepd.elg files.
    If you know how to do a do a backtrace you could pull one. Requires downloading gdb. Next step will be to get the .elg files, cpinfo and crash files to support. If you pull a gdb backtrace it should help move things along a bit faster.

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,931
    Rep Power
    10

    Default Re: pep becomes unresponsive

    Incidentally, an extremely busy kernel on the firewall can starve the pdpd and pepd processes for CPU and cause Identity Awareness to fall behind in the timely processing of Security Log entries via WMI in a large Windows domain. The solution would be implementing manual process affinity to reserve pdpd/pepd their own dedicated processing core, or using the new Identity Collector agent to offload the WMI function from the firewall itself completely. See sk113021 for a preview of this new Identity Collector agent that is coming soon.
    Last edited by ShadowPeak.com; 2017-02-02 at 13:31.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  7. #7
    Join Date
    2009-12-11
    Posts
    16
    Rep Power
    0

    Default Re: pep becomes unresponsive

    Looks like it crapped out again last night. Results of ps -aux | grep pepd. The 149:24 seems high to me. The pepd on the other VS FWs are running fine. Nothing new showed up in /var/log/dump/usermode. Any way to restart pepd without impacting other FW services? Going to check pepd.elg logs as well.

    Below is what I am seeing.

    [Expert@VSAP01-1:3]# ps -aux | grep pepd
    Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
    admin 17887 3.0 0.1 185016 37588 ? S Jan30 149:24 pepd 0 -t
    admin 17913 0.0 0.1 182412 35708 ? S Jan30 0:12 pepd 0 -t
    admin 18136 0.0 0.1 180052 33988 ? S Jan30 0:22 pepd 0 -t
    admin 18189 0.2 0.1 187332 41104 ? S Jan30 13:50 pepd 0 -t
    admin 26551 0.0 0.0 1740 556 pts/2 S+ 08:30 0:00 grep pepd

    Below is what I get when I type 'pep' on vsenv 3.

    [Expert@VSAP01-1:3]# pep
    daemon did not respond or not running!

    Below is what I get when I type 'pep' on vsenv 2.

    [Expert@VSAP01-1:2]# pep
    Command: root

    Available options:
    debug - control debug messages
    tracker - tracker options
    show - display PEP information
    control - Control and set PEP parameters

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,163
    Rep Power
    7

    Default Re: pep becomes unresponsive

    hmm, it doesn't look super busy. %3 cpu?

    Is anything else running away with the CPU? Thinking about what Shadowpeak brought up. The other option would be to enable debugs on that pep process. I haven't done it myself on vsx so i can't say if its the normal process or not.

    btw, don't remember if i asked, but does anything show up in dmesg? Gremlins lurk in there. Its not time stamped but might show something if say a disk was going out on you, which could cause a process's read option to hang, this pep hang. Thats a bit of a shot in the dark though.

  9. #9
    Join Date
    2009-12-11
    Posts
    16
    Rep Power
    0

    Default Re: pep becomes unresponsive

    CP support provided us with a Hotfix for R7710. It worked for a longer period (7 days) then bombed out again. Back to the drawing board....

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •