https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754191#M1096717 <P>What do you mean with BW Link (Failover Link) ?</P> Fri, 13 Jan 2023 09:32:20 GMT mackermann 2023-01-13T09:32:20Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753702#M1096697 <P>Hello&nbsp;@ all</P><P>can someone explain to me why the load is too high.</P><P>If more information needed please tell me</P><P>Thanks in advance</P><P>show processes cpu-usage sorted non-zero<BR />Hardware: ASA5516<BR />Cisco Adaptive Security Appliance Software Version 9.14(2)8<BR />ASLR enabled, text region 55b6780b3000-55b67cc65025<BR />PC Thread 5Sec 1Min 5Min Process<BR />- - 31.3% 31.2% 31.1% DATAPATH-0-1593<BR />- - 30.5% 30.6% 30.6% DATAPATH-1-1594</P> Thu, 12 Jan 2023 14:57:11 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753702#M1096697 mackermann 2023-01-12T14:57:11Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753731#M1096698 <P>can I see&nbsp;</P><P>show asp drop ?</P> Thu, 12 Jan 2023 15:22:25 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753731#M1096698 MHM Cisco World 2023-01-12T15:22:25Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753815#M1096704 <P>May be bug here :</P> <P><A href="https://bst.cisco.com/bugsearch/bug/CSCuy94787" target="_blank">https://bst.cisco.com/bugsearch/bug/CSCuy94787</A></P> <P>is this with SFR ?</P> Thu, 12 Jan 2023 17:11:13 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4753815#M1096704 balaji.bandi 2023-01-12T17:11:13Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754132#M1096712 <P>Hello ,</P><P>I think it has to do with NAT, could that bee?</P><P>----------------------</P><P>sh asp drop</P><P>Frame drop:<BR />Flow is being freed (flow-being-freed) 1<BR />Invalid IP header (invalid-ip-header) 3485710<BR />No valid adjacency (no-adjacency) 57<BR />No route to host (no-route) 39<BR />Flow is denied by configured rule (acl-drop) 3952862<BR />First TCP packet not SYN (tcp-not-syn) 15836<BR />TCP failed 3 way handshake (tcp-3whs-failed) 168<BR />TCP RST/FIN out of order (tcp-rstfin-ooo) 2848<BR />TCP packet SEQ past window (tcp-seq-past-win) 90<BR />TCP Out-of-Order packet buffer full (tcp-buffer-full) 1968868<BR />TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 34067<BR />TCP RST/SYN in window (tcp-rst-syn-in-win) 2<BR />TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 1224<BR />Slowpath security checks failed (sp-security-failed) 29671380<BR />Expired flow (flow-expired) 7<BR />FP L2 rule drop (l2_acl) 533745<BR />Interface is down (interface-down) 386<BR />Dropped pending packets in a closed socket (np-socket-closed) 18<BR />Dispatch queue tail drops (dispatch-queue-limit) 880361<BR />Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 274</P><P>Last clearing: Never</P><P>Flow drop:<BR />NAT reverse path failed (nat-rpf-failed) 2204<BR />Inspection failure (inspect-fail) 6</P><P>Last clearing: Never</P> Fri, 13 Jan 2023 07:14:37 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754132#M1096712 mackermann 2023-01-13T07:14:37Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754142#M1096713 <P>Hello,</P><P>Only active/active Cluster</P><P>No SFR</P><P>No FirePOWER services activated.</P> Fri, 13 Jan 2023 07:43:14 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754142#M1096713 mackermann 2023-01-13T07:43:14Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754153#M1096714 <P>I have seen similar issues on FTD, in my case it was related to the number of access control entries in the ACP.&nbsp; So I would recommend checking how many access-list entries there are.</P> <P>Also, have you verified that the traffic load on the firewall is within the limits of what it can handle?</P> Fri, 13 Jan 2023 08:13:09 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754153#M1096714 Marius Gunnerud 2023-01-13T08:13:09Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754183#M1096715 <PRE>Name: tcp-global-buffer-full TCP global Out-of-Order packet buffer full: This counter is incremented and the packet is dropped when the security appliance receives an out-of-order TCP packet on a connection and there are no more global buffers available. Typically TCP packets are put into order on connections that are inspected by the security appliance or when packets are sent to the SSM for inspection. When the global Out-of-Order buffer queue is full, the packet will be dropped and this counter will increment. Recommendations: This is a temporary condition when all global buffers are used. If this counter is constantly incrementing, then please check your network for large amounts of Out-of-Order traffic, which could be caused by traffic of the same flow taking different routes through the network.</PRE><P>this with high CPU and with you mention that you run ASA active/active.<BR /><BR />are both ASA pair have same BW link ?</P> Fri, 13 Jan 2023 09:16:43 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754183#M1096715 MHM Cisco World 2023-01-13T09:16:43Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754191#M1096717 <P>What do you mean with BW Link (Failover Link) ?</P> Fri, 13 Jan 2023 09:32:20 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754191#M1096717 mackermann 2023-01-13T09:32:20Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754193#M1096718 <P>No, Link connect to IN and OUT of ASA,&nbsp;<BR />the failover link interconnect two ASA so it sure same.&nbsp;</P> Fri, 13 Jan 2023 09:39:01 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754193#M1096718 MHM Cisco World 2023-01-13T09:39:01Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754211#M1096722 <P>Hello @ all</P><P>Many thanks for your support!</P><P>your answers put me on the right track</P><P>It was part of my routing entries.<BR />I have several ip segments "/28" and one segment is part of the firewall himself.<BR />The others segments are behind an other firewall.<BR />My mistake was to route the whole net xxx.xxx.1.0/24 to the other firewall.<BR />After i splitted the routing entrys the error was gone</P><P>Again Thanks for your fast support<BR />Regards Michael</P> Fri, 13 Jan 2023 10:23:54 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754211#M1096722 mackermann 2023-01-13T10:23:54Z https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754214#M1096723 <P>You are so so welcome&nbsp;</P> Fri, 13 Jan 2023 10:29:02 GMT https://community.cisco.com/t5/network-security/datapaht-high-load/m-p/4754214#M1096723 MHM Cisco World 2023-01-13T10:29:02Z