topic Re: High CPU Usage on ASA in Network Security

High CPU Usage on ASA

ABaker94985 — Wed, 09 Dec 2020 20:39:40 GMT

CPU on the ASA is varying from 90-99%, which is impacting performance for everyone.

show proc cpu-usage sorted non-zero

shows that "Dispatch Unit" is taking around 90% of the CPU.

"cap test type asp-drop all real-time" shows a bulk of the entries similar to the following:

2: 10:53:04.583725 802.1Q vlan#500 P0 146.112.240.93.443 > 100.100.100.44897: . ack 269608873 win 83 Drop-reason: (acl-drop) Flow is denied by configured rule
3: 10:53:04.618605 802.1Q vlan#500 P0 146.112.240.76.443 > 100.100.100.39232: . ack 4226217548 win 83 Drop-reason: (acl-drop) Flow is denied by configured rule
4: 10:53:04.618711 802.1Q vlan#500 P0 146.112.240.80.443 > 100.100.100.19873: . ack 2735895955 win 83 Drop-reason: (acl-drop) Flow is denied by configured rule
5: 10:53:04.641690 802.1Q vlan#500 P0 205.185.216.10.443 > 100.100.100.13428: . ack 2760386342 win 129 Drop-reason: (acl-drop) Flow is denied by configured rule
6: 10:53:04.697565 802.1Q vlan#500 P0 146.112.240.92.443 > 100.100.100.17175: . ack 2788027061 win 83 Drop-reason: (acl-drop) Flow is denied by configured rule

It appears traffic is being sourced from various public IPs with a port of 443/tcp to the public IP of our firewall. I ended up putting a ACL entry at the tail end of our outside ACL that reads "access-list OUTSIDE ext deny tcp any4 eq 443 any4" and the hits light up with the drops. This may be a DoS attack, but does anyone have another idea as to what I can try?

Thanks

Re: High CPU Usage on ASA

ABaker94985 — Wed, 09 Dec 2020 20:50:25 GMT

I left out some detail. The interface overruns on the outside interface is around 400-500 every 10 seconds with peaks significantly higher.

Re: High CPU Usage on ASA

balaji.bandi — Wed, 09 Dec 2020 22:05:15 GMT

Looks for me like some config issue here on a high level again we need to understand your config other aspects

please post device model and version of code running, along with show run (removing some confidential information)

what is the bandwidth you expect to handle this FW ? what is your internet speed ?

Re: High CPU Usage on ASA

ABaker94985 — Thu, 10 Dec 2020 14:32:57 GMT

Thanks for the reply. It's an older ASA-5520 running 9.1(7) with a 1 Gbps Internet speed and 2 dozen site-to-site VPN tunnels. We have a pair of [configured] FTDs to replace the 5520's, but it's been difficult to get this scheduled. The CPU normally runs high (85-87%), but we went high enough yesterday to degrade the traffic flow. I'm pretty sure it's not a configuration issue but the firewall isn't power enough to handle the traffic. Yesterday was not an isolated incident, but I'm going to drop any further troubleshooting on this, as management is now pushing to get the FTDs cutover by the end of the year.

Re: High CPU Usage on ASA

balaji.bandi — Thu, 10 Dec 2020 15:24:34 GMT

make sure you size them correctly including future requirement.