Forum Discussion
ATP sensor Consume most server CPU (60%)
It is observed after installing ATP sensor, on domain controller, that more than 60 % of 16 cores CPU are consumed by microsoft.tri.sensor.exe component
EliOfek
Microsoft
Microsoftmesaqee , it seems that the total CPU on the machine is 74%, so technically speaking there is no issue, and the sensor is not even throttling at this point.
Such consumption might be expected for high traffic scenarios.
What did the sizing tool had to say about this machine?
What is the hardware spec ? what is the busy packets/sec and max packets/sec ?
the sensor itself won't initiate connections specifically to 8.8.8.8, but if you are running a DNS service on the machine that will except connections from 8.8.8.8, then it is expected that the sensor will try to get back to this endpoint to try and resolve it. most likely it's not related to the CPU usage.
Dear EliOfek ,
The server is based on a VM, attached are the complete hardware specs. The busy packets/sec=511 and max packets/sec=32,295.
Please see below the complete sizing tool output:
| DC | Sensor Supported | Failed Samples | Max Packets/sec | Avg Packets/sec | Busy Packets/sec | Busy Packets/sec Start Time | Busy Packets/sec End Time | Min Avail MB | Avg Avail MB | Busy Avail MB | Busy RAM Start Time | Busy RAM End Time | Total MB | Max % CPU Time | Avg % CPU Time | Busy % CPU Time | Busy CPU Start Time | Busy CPU End Time | Logical processors | Processor Groups | Core Count | VM Indicator | AD Site | Time Zone Name | Is DST | OS Caption | OS Build Number | OS Installation Type | OS Server Levels |
| XXXXX | Yes, but additional resources required: +1GB; +1 core | 8 | 32,295 | 105 | 511 | 19:51:52 | 20:21:50 | 2,366 | 4,349 | 3,323 | 17:12:16 | 17:42:14 | 8,191 | 100 | 50 | 98 | 2:17:12 | 2:47:30 | 2 | 1 | 2 | VMWare | XXXXX | (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi | Microsoft Windows Server 2019 Standard | 17763 | Server | ServerCore; ServerCoreExtended; Server-Gui-Mgmt; Server-Gui-Shell |
- EliOfekWas one core added as suggested?
While the busy packets are low, the max is pretty high...
Is the high CPU you noticed is constant or spikes on certain hours ?- No, the core hasn't be added as this issue has started coming up since last week only. The spike has been there almost constantly. We are still monitoring that to evaluate if this is intermittent or a consistent issue. Do you have any other suggestions apart from the core addition?
- EliOfekCheck the packets/sec on all the nics, or re run the sizing tool, maybe there was an increase of traffic load on this machine, but nothing seems wrong here , especially if the sizing tool asked for another core and it wasn't deployed.