topic cisco asa overrun issue / Dt.6_7_2015 in Network Security

cisco asa overrun issue / Dt.6_7_2015

secureIT — Tue, 12 Mar 2019 06:13:44 GMT

Hi,

im experiencing an asa cpu utilization issue (80%) running with 8.0 version and process hitting on Dispatch unit. At the same time, found only overruns are increasing in the firewall interfaces. Like router or checkpoint, is there any way to increase the buffer size of firewall interfaces ?

Below are my observations --

1-connection count is normal

2-show block shows less low on 1550 blocks, as highlighted below.

SIZE MAX LOW CNT
0 100 83 100
4 600 599 599
80 100 56 100
256 862 748 862
1550 9261 6504 7726
2048 2100 2081 2100
2560 164 163 164
4096 100 98 100
8192 100 100 100
16384 102 102 102
65536 16 16 16

3- show cpu
CPU utilization for 5 seconds = 78%; 1 minute: 83%; 5 minutes: 74%

4-throughput of the firewall never exceeded 60Mbps as per the calculation from the below link

https://supportforums.cisco.com/document/12495046/calculating-throughput-asa

5- Observed overruns are increasing in Gig1 and Gig2 interfaces (inside and outside respectively)

Gig1 2450000 to 2625000 with in 5 minutes
Gig2 540000 to 581000 with in 5 minutes

Now my query :- is there any command to increase interface buffers ?

Regards

SecIT()

Hi SecIT,Please check the

Akshay Rastogi — Tue, 07 Jul 2015 15:44:46 GMT

Hi SecIT,

Please check the below things:

- 'show run logging' and 'show run snmp-server'. Make sure snmp and syslog servers are reachable from ASA. if there is any log server which is not reachable exist, i would suggest you to remove the same.

- Also check for loop on these interface. Check if the interface packet counters are very high on these interfaces as compared to other interfaces. This could give you some indication of what is happening on these interface.

- For detail, take header captures on these interfaces. 'cap capi interface inside headers-only' and try to see the mac-addresses with 'show cap capi detail'. Check if the mac-address are same and looping in that interface (try to see the ttl value as well).

Regards,

Akshay Rastogi

Hi Akshay,Is there anyway to

secureIT — Sun, 12 Jul 2015 16:31:07 GMT

Hi Akshay,

Is there anyway to increase the interface buffersize in ASA ? as far as i know the only option is to enable flowcontrol that too only in 8.2.5 - any other options ? i do see the overruns (only) are increasing..

Hi Sec IT,Unfortunately flow

Akshay Rastogi — Mon, 13 Jul 2015 08:28:45 GMT

Hi Sec IT,

Unfortunately flow control is the only way to control the traffic flow coming to the interfaces interfaces.

You could try with QoS on ASA or on Switch connected to interface and see if that helps.

Regards,

Akshay Rastogi