Reset Search
 

 
Article

KB44479 - "Nfqueue is full and dropping packets. (kernel) critical." event is seen on Pulse Connect Secure 9.1R5 with a noticeable performance impact (i.e. high cpu usage)

Printable View
« Go Back

Information

 
Last Modified Date10/6/2020 5:42 PM
Synopsis

"Nfqueue is full and dropping packets. (kernel) critical." event is seen on Pulse Connect Secure 9.1R5 with a noticeable performance impact (i.e. high cpu usage)

This article describes an issue where "Nfqueue is full and dropping packets. (kernel) critical." event is seen on Pulse Connect Secure 9.1R5 with a noticeable performance impact (i.e. high cpu usage).
Problem or Goal
NFQUEUE is a kernel and user mode module for managing network packets in iptables.  The following event is seen along with a noticeable impact on system resources especially on Pulse Connect Secure 9.1R5 and in some rare cases may show up on any Pulse Connect Secure version from 9.0R1 onwards as well.
  
2020-05-12 01:31:40 - PSA7000 - [127.0.0.1] System()[] - Nfqueue is full and dropping packets. (kernel).

This issue is known to occur on PCS versions that support FQDN ACLs irrespective of it being configured or not.

This feature to configure "FQDN Resources" under Users -> Resource Policies -> VPN Tunneling Access Control, was introduced in Pulse Connect Secure 9.0R1. 
Cause
The issue is occurs with Pulse Connect Secure 9.1R5 as the maximum supported FQDN length does not meet RFC requirements. 
Solution
To resolve this problem, Pulse Secure strongly advises to upgrade to Pulse Connect Secure 9.1R6 and above which is now available for download via https://my.pulsesecure.net/

 
Note : 
  • If the issue is still seen, please upgrade to Pulse Connect Secure 9.1R8 or above where FQDN ACL feature can be disabled. 
  • Please ensure that there is no DNS latency/Delay in your network if you use this feature as this may lead to performance issues.


After upgrading to Pulse Connect Secure 9.1R8 and above, the administrator can disable FQDNACL feature as long as FQDN split tunneling is not used.  After disabling the feature, the administrator is not allowed to add new FQDN resources or modifying any existing FQDN resources.  Additionally, enabling or disabling FQDNACL feature does not restart services.
  1. Login to admin console
  2. Navigate to System > Configuration > VPN Tunneling
  3. Under Enable/Disable FQDN ACL, uncheck the option.
User-added image

If the problem persists after the upgrade, please open a support case with the following data:
  1. Screenshots of all system status graphs (throughput numbers and CPU are important)
  2. tcpdump on the internal and external interfaces when normal cpu exists.
The general trend is CPU levels and throughput should increase and decrease together.  If historical throughput numbers have increased over time, this may be causing additional load.  Pulse Secure support team can help evaluate the tcpdump to provide estimated throughput levels for your specific device.
Related Links
Attachment 1 
Created ByRaghu Kumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255