topic Re: asa 5520 has a high cpu utilization ip spoofing in Network Security

asa 5520 has a high cpu utilization ip spoofing

jdumorne03 — Wed, 12 Jun 2019 17:42:00 GMT

Hello can anyone provide there assistance in guiding me as to what I can do to resolve this issue if you have experienced this issue in your career. I'm at a complete lost. I would be grateful. I try to fail over to the second same issue took place. failed back over still the same high cpu spike.

my logs are displaying please review attachment

# sh cpu detailed

Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 99.0 (0.0 + 99.0) 98.8 (0.0 + 98.8) 99.1 (0.0 + 99.1)

Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 100.0%

CPU utilization of external processes for:
5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0%

Total CPU utilization for:
5 seconds = 99.2%; 1 minute: 98.9%; 5 minutes: 99.1%

------------------------------------------------------------

# sh processes cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
0x0915f0f1 0x6edcb07c 52.7% 52.7% 53.2% Logger
0x082a445c 0x6edd4ee4 42.3% 41.2% 41.3% Dispatch Unit
0x090451e4 0x6edbeb8c 3.8% 3.7% 3.7% SNMP Notify Thread
0x0911079d 0x6edbcfb8 0.2% 0.1% 0.1% ssh
0x087cb14e 0x6edc00f4 0.1% 0.1% 0.1% ARP Thread
0x091b4cd9 0x6edbba50 0.0% 0.1% 0.0% snmp
0x098da690 0x6edcce74 0.0% 0.1% 0.0% Checkheaps

----------------------------------------------------------

# sh asp drop

Frame drop:
Invalid encapsulation (invalid-encap) 6125
Invalid TCP Length (invalid-tcp-hdr-length) 19
No valid adjacency (no-adjacency) 1
No route to host (no-route) 8432
Flow is denied by configured rule (acl-drop) 566916559
First TCP packet not SYN (tcp-not-syn) 3624
TCP failed 3 way handshake (tcp-3whs-failed) 26012
TCP RST/FIN out of order (tcp-rstfin-ooo) 26153
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 43
TCP SYNACK on established conn (tcp-synack-ooo) 23
TCP packet SEQ past window (tcp-seq-past-win) 1517
TCP Out-of-Order packet buffer full (tcp-buffer-full) 339663
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 47233
TCP RST/SYN in window (tcp-rst-syn-in-win) 42
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 16653
TCP packet failed PAWS test (tcp-paws-fail) 11
Slowpath security checks failed (sp-security-failed) 959
Expired flow (flow-expired) 20
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 136
DNS Inspect id not matched (inspect-dns-id-not-matched) 3280
IPS Module requested drop (ips-request) 23
FP L2 rule drop (l2_acl) 271555
Interface is down (interface-down) 382
Dropped pending packets in a closed socket (np-socket-closed) 106
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 34142
Received a multicast packet in the non-active device (mcast-in-nonactive-device) 167

Last clearing: Never

Flow drop:
Flow terminated by IPS (ips-request) 2
Inspection failure (inspect-fail) 336
SSL handshake failed (ssl-handshake-failed) 1

Last clearing: Never

--------------------------------------

# sh int gig0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.170b, MTU 1500
IP address 199.x.x.202, subnet mask 255.255.255.248
598178974 packets input, 118399863686 bytes, 0 no buffer
Received 2185 broadcasts, 0 runts, 0 giants
1474192 input errors, 0 CRC, 0 frame, 1474192 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
591417100 packets output, 82812234733 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (234/168)
Traffic Statistics for "outside":
598178890 packets input, 107605901731 bytes
591417100 packets output, 72125301733 bytes
567431045 packets dropped
1 minute input rate 7972 pkts/sec, 1151620 bytes/sec
1 minute output rate 7983 pkts/sec, 995376 bytes/sec
1 minute drop rate, 7763 pkts/sec
5 minute input rate 8092 pkts/sec, 1263597 bytes/sec
5 minute output rate 8101 pkts/sec, 1003485 bytes/sec
5 minute drop rate, 7801 pkts/sec

Re: asa 5520 has a high cpu utilization ip spoofing

Rob Ingram — Wed, 12 Jun 2019 17:57:24 GMT

Hi,
Run "clear asp drop" to reset the counts, wait a couple of minutes and then re-run "show asp drop", upload the output for review.

Also run a capture "capture asp-drop type asp-drop all" and then uplaod the output of "show capture asp-drop"

What logging levels do you have configured? Run "show run logging" or "show logging"

Re: asa 5520 has a high cpu utilization ip spoofing

jdumorne03 — Wed, 12 Jun 2019 18:32:53 GMT

Hello RJI,

Thanks for reaching out I did perform "clear asp drop" here is the output after the clear asp drop:

Frame drop:
Invalid encapsulation (invalid-encap) 4
No route to host (no-route) 2
Flow is denied by configured rule (acl-drop) 189268
First TCP packet not SYN (tcp-not-syn) 3
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 11
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 70
Slowpath security checks failed (sp-security-failed) 1
FP L2 rule drop (l2_acl) 95
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 23

Last clearing: 14:26:28 EDT Jun 12 2019 by enable_15

Flow drop:

Last clearing: 14:26:28 EDT Jun 12 2019 by enable_15

------------------------------------------------

# sh run logging
logging enable
logging standby
logging trap informational
logging history informational
logging asdm informational
logging queue 4096
logging host management 172.x.x.253
logging host outside 172.x.x.50
no logging message 110003

---------------------------

# sh capture asp-drop

0 packet captured

0 packet shown

Re: asa 5520 has a high cpu utilization ip spoofing

Rob Ingram — Wed, 12 Jun 2019 19:19:42 GMT

You have a lot of drops "Flow is denied by configured rule (acl-drop) 189268" this would be traffic denied in an ACL - possibly an attack. The logger process has high CPU utilisation, which could be explained if you are logging each deny. Potentially rate-limit logging until the attack stops.

199.x.x.202 is your outside interface IP address? What is the destination address?

You've edited the screenshot, does it not display the src/dst ports?

Can you run a packet capture from src to destination and upload the pcap.