topic If you are just going by the in Network Security

ASA 5510 Management port

eyalhezi77 — Tue, 12 Mar 2019 05:16:41 GMT

Hi all,

I'm encountering CPU-hog issue (packet drops) each time our monitor system monitor the ASA (via SNMP) due to 1 core CPU.

The ASA is monitored via non management interface (all others),which is a production interface, my question is, if we move to the dedicated management port will solve the CPU-hog issue or it's using the same CPU as all other interfaces?

10x

Eyal

Hello Eyal-I am not saying

nspasov — Mon, 29 Dec 2014 20:17:56 GMT

Hello Eyal-

I am not saying that it is not possible and that it is not the cause of the issue here but I don't think the problem is the interface. Most of the ASAs that I have managed/configured in the past were managed via the "Inside" interface vs a dedicated management port.

My guess is that the issue is with either high throughput running through the ASA or the monitoring software itself. Can you tell us:

1. What is the average throughput running through the ASA

2. What services are you using (IPSec tunnels, remote access VPN, how many DMZs, etc)

3. What type of SNMP solution are you trying to implement and what are its configs (polling intervals)

4. Post your ASA SNMP configs

Thank you for rating helpful posts!

Hi Neno,1. in & out - MAX 203

eyalhezi77 — Tue, 30 Dec 2014 07:48:56 GMT

Hi Neno,

1. in & out - MAX 203.648 kbit/s

2.IPSEC tunnels - ~ 20 tunnels / DMZ - 5 sub interfaces for DMZ

3.PRTG with SNMP interval 30 sec

4. Please note that many of the hosts are not active (working on eliminate them).

5.attached is 'sh int | i overrun'
1927529 input errors, 0 CRC, 0 frame, 1927529 overrun, 0 ignored, 0 abort
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4389 input errors, 0 CRC, 0 frame, 4389 overrun, 0 ignored, 0 abort
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

Hi,Seeing CPU-HOGS on the ASA

Vibhor Amrodia — Tue, 30 Dec 2014 10:05:09 GMT

Hi,

Seeing CPU-HOGS on the ASA device is not harmful on most of the cases.

How much is the duration of the hogs which you see on the ASA device.

Thanks and Regards,

Vibhor Amrodia

If you are just going by the

Marius Gunnerud — Tue, 30 Dec 2014 13:46:30 GMT

If you are just going by the input errors and interface overruns I would not think this is a CPU issue. Most likely there is more traffic passing through the interface than it can handle, or perhaps the packets are too large. Do you see the jumbo frame counter tick upward? Do the input errors and overruns steadily tick upward or does it only increase slowly? When was the last time you cleard the interface counters?

It would not hurt to move management traffic to the dedicated management port. This way you can monitor the ports for the overruns and input errors, as well as keep an eye on the CPU Hog output.

if you issue the commands show cpu usage and show processes cpu-hog. When viewing the CPU usage do you see any CPU spikes up to 80%-100% that last more than a few seconds?

Please remember to select a correct answer and rate helpful posts

by this Cisco link, it looks

eyalhezi77 — Wed, 31 Dec 2014 07:11:56 GMT

by this Cisco link, it looks like that is a CPU-HOG issue specially with 1 Core FWs:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html