Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
2
Replies

ASA 5506-X - performance problem

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎05-16-2025 03:29 AM

 

Hi, I have been having a problem on an ASA 5506-X for a few weeks now.

The ASA is a hub for us with about 10 IPsec tunnels.

Every day at regular times, e.g. 20:00-24:00, we notice that our monitoring system starts sending lots of false-positives regarding the monitored devices on the other side of the tunnels.
The first thing we checked was the total traffic on the device, which is around 75 Mbps (unchanged for a long time). According to the Data Sheet this is ok. Source: https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/datasheet-c78-742475.html 

On the other side of the tunnels we have a lot of devices that connect to the controller, or send quite detailed but light logs to our systems. So another thought was whether perhaps the ASA can't handle such a high volume of sessions.

Some information from the machine on the number of sessions:
show xlate count
73 in use, 2399 most used

show conn count
9697 in use, 44623 most used

As for the CPU load it has almost always stayed at around 80%.
show cpu usage
CPU utilization for 5 seconds = 71%; 1 minute: 72%; 5 minutes: 72%

show memory top-usage
Hardware: ASA5506
Cisco Adaptive Security Appliance Software Version 9.8(4)35
ASLR enabled, text region b7ea047000-b7ee3eef1c
MEMPOOL_MSGLYR pool binsize allocated byte totals:

----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------

----- Binsize PC top usage -----
Hardware: ASA5506
Cisco Adaptive Security Appliance Software Version 9.8(4)35
ASLR enabled, text region b7ea047000-b7ee3eef1c
MEMPOOL_HEAPCACHE_0 pool binsize allocated byte totals:

----- allocated memory statistics -----
fragment size count total
(bytes) (bytes)
---------------- ---------- --------------
12582912 4 50331648
96 356126 34188096
1048576 24 25165824
65536 254 16646144
4194304 3 12582912
16384 640 10485760
2097152 5 10485760
131072 74 9699328
8388608 1 8388608
1572864 5 7864320

Here is some information regarding the software.
I know that it is EoL hardware and that we have old software.
show inventory
Name: "Chassis", DESCR: "ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC"
PID: ASA5506 , VID: V06 , SN: 
Name: "Storage Device 1", DESCR: "ASA 5506-X SSD"
PID: ASA5506-SSD , VID: N/A , SN: 

show version
Cisco Adaptive Security Appliance Software Version 9.8(4)35
Firepower Extensible Operating System Version 2.2(2.143)
Device Manager Version 7.8(2)


Some other information:
show asp drop
Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 1248
SVC Module does not have a channel for reinjection (mp-svc-no-channel) 9
SVC Module does not have a session (mp-svc-no-session) 52
SVC Module is in flow control (mp-svc-flow-control) 636
VPN reclassify failed (vpn-reclassify-failed) 280
Flow is being freed (flow-being-freed) 908
Invalid TCP Length (invalid-tcp-hdr-length) 3
Invalid UDP Length (invalid-udp-length) 64
No valid adjacency (no-adjacency) 74723
No route to host (no-route) 85
Flow is denied by configured rule (acl-drop) 292114
Invalid SPI (np-sp-invalid-spi) 36872
First TCP packet not SYN (tcp-not-syn) 55504195
TCP failed 3 way handshake (tcp-3whs-failed) 118428
TCP RST/FIN out of order (tcp-rstfin-ooo) 226158
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6824
TCP packet SEQ past window (tcp-seq-past-win) 239849
TCP Out-of-Order packet buffer full (tcp-buffer-full) 206712
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 65304
TCP RST/SYN in window (tcp-rst-syn-in-win) 557
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 74204
Early security checks failed (security-failed) 8
IP option drop (invalid-ip-option) 10
Expired flow (flow-expired) 498
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 125
Interface is down (interface-down) 68755
Packet shunned (shunned) 2709530
Dropped pending packets in a closed socket (np-socket-closed) 1
Dispatch queue tail drops (dispatch-queue-limit) 223
IKE new SA limit exceeded (ike-sa-rate-limit) 2849
Fragment reassembly failed (fragment-reassembly-failed) 705995

Last clearing: 11:57:09 CET May 12 2025 by admin

Flow drop:
Tunnel has been torn down (tunnel-torn-down) 560
Need to start IKE negotiation (need-ike) 6898
VPN handle not found (vpn-handle-not-found) 6
IPsec spoof packet detected (ipsec-spoof-detect) 2
VPN decryption missing (vpn-missing-decrypt) 18
Flow shunned (shunned) 159878
Inspection failure (inspect-fail) 1294
DTLS hello processed and closed (dtls-hello-close) 3

Last clearing: 11:57:09 CET May 12 2025 by admin

show shun statistics
outside=OFF, cnt=0
inside=OFF, cnt=0
TRANSIT=ON, cnt=2789552

Shun x.x.x.x cnt=3146, time=(0:07:28)
Shun x.x.x.x cnt=362, time=(0:15:35)

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎06-18-2025 06:26 AM

I had several captures running in the background, and while I don't think that was the reason, after turning them off, performance improved. I feel like it's a coincidence, but maybe someone will find this useful.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎05-17-2025 08:44 AM

Does anyone perhaps have an idea where this problem is coming from?

0 Helpful

Go to solution
krzysztofmaciejewskiit
Level 1
Level 1

‎06-18-2025 06:26 AM

I had several captures running in the background, and while I don't think that was the reason, after turning them off, performance improved. I feel like it's a coincidence, but maybe someone will find this useful.

0 Helpful
Customers Also Viewed These Support Documents