The purpose of this KB is to provide a way to determine whether this high CPU usage is related to the LoadBalancer service and present a workaround.

Symptoms:
After upgrade, the CPU usage of the edge datapath is very high.

VMware NSX-T Data Center

VMware NSX

The symptom occurs when all conditions below exist in an edge node.

1. Gateway Firewall is disabled.
2. Many configurations are in place in the LoadBalancer service and many LoadBalancer firewall rules are generated in the edge datapath.
3. A large amount of non-LoadBalancer traffic is forwarded by LoadBalancer attached Logical Router (LR). 

In the current design, LoadBalancer firewall rule in the datapath is used to identify whether this is LoadBalancer traffic. The rule match operation must be done in the firewall framework. If the Gateway Firewall is disabled, there is no connection entry generated for non-LoadBalancer traffic. So this rule match operation is done per non-LoadBalancer traffic packet. This rule match operation requires a large amount of CPU to complete.

Please refer to workaround section.

Workaround:

There are two potential workarounds. Choose one.

1. Enable Gateway Firewall. If Gateway Firewall is enabled, the stateful connection entry is maintained in the datapath. Rule match operation is only done for the first packet.
2. Separate the non-LoadBalancer traffic and LoadBalancer traffic into different logical routers.