Pfsense appliance on ESXi 4.1 - high CPU usage



  • Hello, I'm testing out pfsense as a virtual on an HP DL360 G4p box and ESXi 4.1. The box has 2 Xeon 3.4GHz processors and 12GB RAM. One issue we have with the current production physical pfsense box that is running with a Celeron 2.0GHz proc and 512MB RAM is that if we image a computer across subnets it will use 100% CPU and our VPNs will start dropping. I am hoping that with this other box and a faster processor, we can eliminate this problem.

    I started with giving the virtual just 1 processor and the resource pool is unlimited (it is the only virtual in place). I then gave it 2 cores, and finally 4 cores and 1GB. No matter how many resource I give it, it seems to use close to 100% of the processor when it gets close to maxing out the NIC. The NICs are GB but there is a 100Mb switch in between server and pfsense so the max is 100Mb.

    The output of "top -SH" shows the following at the top:

    irq9: le1  acpi0
    irq10: le0
    

    and attached is a screenshot of how the CPU graph seems to correlate with the bandwidth used. Are there any settings in ESXi I should be checking? I converted the pfsense appliance to get this VM. I ended up resetting it to factory settings at one point because of other issues I was having (operator error) and then installed the OpenVM tools package.

    Thanks for any help.



  • Are you running the SMP kernel?  By default the VM version uses the single CPU kernel.



  • Use e1000 NICs in the VM, the default ones perform very poorly.



  • @jwelter99:

    Are you running the SMP kernel?  By default the VM version uses the single CPU kernel.

    I didn't change anything so it sounds like I am not using the SMP kernel. That would explain why multiple processors don't help any.
    @cmb:

    Use e1000 NICs in the VM, the default ones perform very poorly.

    I was wondering about this. I'll give that a shot today. Thanks.



  • Excellent! Changing the NICs in the VM to e1000 made all the difference.

    I had considered this before but I couldn't change the existing NIC. Not knowing ESXi very well it took me a while to realize I had to add a new NIC in order to have the choice.

    I've attached a new screenshot of the graphs during testing to compare for the curious.

    Oh, and I'm not sure about the kernel not being SMP. In my system logs it says the following:

    kernel: sullrich@FreeBSD_7.2_pfSense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7
    



Log in to reply