topic Re: high CPU on AIP-SSM-20 in Network Security

high CPU on AIP-SSM-20

Leeyoungsoo — Sun, 10 Mar 2019 11:48:58 GMT

Dear Experts!

We have several AIP-SSM-20s on the ASA

and one of the AIP-SSM-20 has seen high

cpu status one hours ago and it still going on.

another AIP-SSM-20 has 2~20% cpu load.

Is this normal status? Do you have same

experience?

I have one more question,where can I find

Ips Manager Express configuraiton manual on the cisco site?

I have not found manual anywhere on the cisco site for the configuration IPS.

I really appreciate for any help.

Regards.

======================================

CPU Statistics

Usage over last 5 seconds = 97

Usage over last minute = 93

Usage over last 5 minutes = 72

Memory Statistics

Memory usage (bytes) = 1026400256

Memory free (bytes) = 1067204608

========================================

Re: high CPU on AIP-SSM-20

andrey.dugin — Mon, 02 Nov 2009 08:15:34 GMT

Check the amount of packets going through IPS. May be there are lot of small packets processed by it and so CPU is high.

IME guide is here: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/imeguide7.html

it is a manual how to configure IPS too.

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Mon, 02 Nov 2009 08:55:46 GMT

Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Mon, 02 Nov 2009 08:58:34 GMT

Thanks for your reply!

Yes you`re right there are a lot of packets going throutgh IPS.

Is it possible to find on the IME

which ip address to generate packets ?

Thanks again!

Re: high CPU on AIP-SSM-20

andrey.dugin — Mon, 02 Nov 2009 09:30:09 GMT

Analyze events for time of high CPU utilization and see if there were alarms for some flood, for example, DNS flood, SYN flood etc.

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Tue, 03 Nov 2009 04:57:29 GMT

Dear Andrey!

Thanks for your reply.

I have found a lot attack of TCP SYN HOST

Sweep.

Is it relate with high cpu on the IPS?

Thanks for any help.

Re: high CPU on AIP-SSM-20

andrey.dugin — Tue, 03 Nov 2009 10:12:48 GMT

May be.

If this attack was absent in time of normal CPU load I think that this event may cause it.

You may check it.

Re: high CPU on AIP-SSM-20

bnidacoc — Tue, 03 Nov 2009 19:28:46 GMT

It is difficult to say, I'm not seeing the exact signature.

If it is 3030/0, it is my understanding (from experience and TAC) that it is quite common that a busy host(user)/SMTP server/proxy server fire this alarm.

It is my understanding that 3030/0 is based on the source port of the initial SYN. So an internal host initiates a TCP connection to an internet host, its source TCP port is (for example) 1049. The IPS tracks that. The user powers off their PC at the end of the day. Next day, user powers up the host and TCP source ports begin all over at 1024 (XP, don't know about Vista/7.) The user connects to TCP hosts in the Internet, one of those TCP SYNs is sourced by TCP 1049. 3030/0 fires. My understanding from TAC is that the IPS module remembers this TCP communication as long as the IPS itself hasn't been rebooted. So, one may see a whole lot of 3030/0 alarms.

An SMTP server can make this fire a lot.

Potential resolution options may be; disabling 3030/0 or write and EAF (and try to be specific on the source host(s).

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Wed, 04 Nov 2009 00:51:59 GMT

Thanks for your relpy.

Yes your`r right, that`s Sig.Id is

3030/0.

As your opinion ,Sig.ID 3030/0 is not

cause high cpu on IPS Module?

Re: high CPU on AIP-SSM-20

andrey.dugin — Wed, 04 Nov 2009 12:50:48 GMT

Sig 3030/0 fires when there are 15 destination hosts were seen with 1 src host.

I don't know about your network but usually this signature don't cause high CPU load.

May be if you have 1000 hosts generating sweep it may cause the high CPU load.

In any case you may turn off this signature and then see if it causes high CPU utilization.

Re: high CPU on AIP-SSM-20

bnidacoc — Wed, 04 Nov 2009 14:02:25 GMT

Sorry, my attempt was primarily to point out there is a sig that may fire very often from legitimate authorized hosts. You were discussing a sig firing a lot.

As a test, you could disable 3030/0 temporarily to see if it changes your CPU usage. However, my suspicion is that it may not have much effect. Someone else here may disagree.

A whole lot of signature have been created and enabled by default over the past year. And maybe you are on a version of IPS OS SW which enables the Atomic Engine (I think that is the engine) sigs, maybe there is more CPU cycle consumption with that.

Maybe a TAC case is suitable for your issue.

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Thu, 05 Nov 2009 08:55:23 GMT

First of all thanks for your relpy.

As your opinion,I did disalbe sig no.3030

but it did not effect high cpu situation.

I found strange status on gigabit interface.

There through a lot of traffic.

I attaching gigabit 0/1 interface status.

Do you think that is relate on high cpu

consumption?

Thanks for any helps!

Re: high CPU on AIP-SSM-20

andrey.dugin — Thu, 05 Nov 2009 12:31:47 GMT

Does Gi0/1 subinterfaced to process the traffic and return the clear one to ASA or you use it in promiscuous mode?

Re: high CPU on AIP-SSM-20

Leeyoungsoo — Fri, 06 Nov 2009 01:53:44 GMT

Thanks for your advice.

I did try clear the interface counter but I have not found commands on the AIP-SSM.

Can you tell me how can I clear interface counter?

Thanks for any help

Re: high CPU on AIP-SSM-20

andrey.dugin — Fri, 06 Nov 2009 08:18:08 GMT

# show interfaces clear

it will clear all interfaces counters not specific one.

Re: high CPU on AIP-SSM-20

yeundu — Fri, 06 Nov 2009 08:39:32 GMT

I really appreciate for your help.

Thanks again