topic Re: FTD instance on Firepower has high CPU utilization on lina process in Network Security

FTD instance on Firepower has high CPU utilization on lina process

S891 — Mon, 16 Jan 2023 13:44:20 GMT

Hi ,

I have Firepower 4115. I am seeing high CPU on one of the FTD instances. There are no complaints of slowness or packet drops from users so far. Any recommendations to fix this?

> show cpu usage core all

Core 5 sec 1 min 5 min

Core 0 90.5% 92.8% 92.6%

Core 1 90.6% 92.8% 92.6%

> show processes cpu-usage sorted

Hardware: FPR4K-SM-24S

Cisco Adaptive Security Appliance Software Version 9.16(3)11

ASLR enabled, text region 55abc60b5000-55abca6c7475

PC Thread 5Sec 1Min 5Min Process

- - 85.4% 85.2% 84.8% DATAPATH-1-3116

- - 85.3% 85.2% 84.8% DATAPATH-0-3115

0x000055abc7c54d66 0x0000151701eb29e0 0.2% 0.2% 0.2% CP Processing

0x000055abc7a603c3 0x0000151701e9ee80 0.1% 0.1% 0.1% appagent_async_client_receive_thread

root@cmq-dcfw-ftd-01:~# top

Tasks: 81 total, 3 running, 68 sleeping, 0 stopped, 10 zombie

%Cpu(s): 21.7 us, 7.2 sy, 0.0 ni, 71.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st

MiB Mem : 192162.5 total, 137596.8 free, 45892.9 used, 8672.8 buff/cache

MiB Swap: 49152.0 total, 45719.7 free, 3432.2 used. 138505.6 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

2997 root 0 -20 3716024 1.6g 1.1g S 195.7 0.9 311260:57 lina

4790 root 1 -19 7949784 5.6g 89844 S 8.7 3.0 8256:04 snort3

2863 root 20 0 680204 21208 7412 S 4.3 0.0 3022:10 sftunnel

Re: FTD instance on Firepower has high CPU utilization on lina process

balaji.bandi — Mon, 16 Jan 2023 15:07:24 GMT

if this is not effecting all working as expected, check below FAQ :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200950-Clarifying-the-Firepower-Threat-Defense.html

Re: FTD instance on Firepower has high CPU utilization on lina process

MHM Cisco World — Mon, 16 Jan 2023 16:01:20 GMT

show asp drop <<- please share this

Re: FTD instance on Firepower has high CPU utilization on lina process

S891 — Tue, 17 Jan 2023 05:28:18 GMT

It turned out that it was due to a bunch of VMs migration that drove the Lina process so high. Once the migration was completed the CPU utilization was back to normal.

However, I am curious about when it starts dropping packets due to high CPU. Where in the the 'show asp drop' it tells you this? And do I need to consider the drops in one FTD instance only that has the traffic flow or other instances will be impacted too.

This is the output of 'show asp drop' in the instance where CPU was high.

> show asp drop

Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 8
No valid adjacency (no-adjacency) 45
No route to host (no-route) 17763
Reverse-path verify failed (rpf-violated) 632691
Flow is denied by configured rule (acl-drop) 487309531
Invalid SPI (np-sp-invalid-spi) 131
First TCP packet not SYN (tcp-not-syn) 11874558
Bad TCP flags (bad-tcp-flags) 5
TCP failed 3 way handshake (tcp-3whs-failed) 3520718
TCP RST/FIN out of order (tcp-rstfin-ooo) 6643683
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 13736
TCP SYNACK on established conn (tcp-synack-ooo) 64
TCP packet SEQ past window (tcp-seq-past-win) 277799
TCP invalid ACK (tcp-invalid-ack) 17
TCP RST/SYN in window (tcp-rst-syn-in-win) 22938
TCP packet failed PAWS test (tcp-paws-fail) 7590
Slowpath security checks failed (sp-security-failed) 16774557
IP option drop (invalid-ip-option) 63256
Invalid LU packet (lu-invalid-pkt) 3437
Dropped by standby unit (fo-standby) 5
Flow drop (flow-expired-drop) 1
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 46012
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 20837
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 15897
Snort instance is busy (snort-busy) 70996
FP L2 rule drop (l2_acl) 75421438
Unable to obtain connection lock (connection-lock) 2110
Interface is down (interface-down) 3066
Packet shunned (shunned) 33
Received a multicast packet in the non-active device (mcast-in-nonactive-device) 22819515
Per-flow block limit reached on flows fast-forwarded by Snort (snort-blist-full) 27160
Blocked or blacklisted by the firewall preprocessor (firewall) 47292
Blocked or blacklisted by the session preprocessor (session-preproc) 2896
Blocked or blacklisted by the reputation preprocessor (reputation) 220
Fragment reassembly failed (fragment-reassembly-failed) 17326250
Packet is blacklisted by snort (snort-blacklist) 130
Failover link is not ready for processing NLP packets (ha-nlp-lu-link-not-ready) 5
Dispatch queue tail drops (dispatch-queue-limit) 7635491

Last clearing: Never

Flow drop:
Flow is denied by access rule (acl-drop) 2
Flow shunned (shunned) 4
Inspection failure (inspect-fail) 1023570
SSL bad record detected (ssl-bad-record-detect) 99

Last clearing: Never
>

Re: FTD instance on Firepower has high CPU utilization on lina process

Marius Gunnerud — Tue, 17 Jan 2023 08:56:37 GMT

I suggest clearing the asp drop counter to have better idea of which is increasing the fastest. Also, check the output of show access-list element-count and be sure that you are not exceeding the ACL limit.