Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1948
Views
0
Helpful
3
Replies

asa 5520 has a high cpu utilization ip spoofing

jdumorne03
Level 1
Level 1

‎06-12-2019 09:16 AM - edited ‎06-12-2019 10:42 AM

Hello can anyone provide there assistance in guiding me as to what I can do to resolve this issue if you have experienced this issue in your career. I'm at a complete lost. I would be grateful. I try to fail over to the second same issue took place. failed back over still the same high cpu spike.

 

 

my logs are displaying please review attachment

 

 

 

 

 

# sh cpu detailed

Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 99.0 (0.0 + 99.0) 98.8 (0.0 + 98.8) 99.1 (0.0 + 99.1)

Current control point elapsed versus the maximum control point elapsed for:
5 seconds = 99.0%; 1 minute: 99.8%; 5 minutes: 100.0%


CPU utilization of external processes for:
5 seconds = 0.2%; 1 minute: 0.0%; 5 minutes: 0.0%


Total CPU utilization for:
5 seconds = 99.2%; 1 minute: 98.9%; 5 minutes: 99.1%

 

 

------------------------------------------------------------

 

# sh processes cpu-usage sorted non-zero
PC Thread 5Sec 1Min 5Min Process
0x0915f0f1 0x6edcb07c 52.7% 52.7% 53.2% Logger
0x082a445c 0x6edd4ee4 42.3% 41.2% 41.3% Dispatch Unit
0x090451e4 0x6edbeb8c 3.8% 3.7% 3.7% SNMP Notify Thread
0x0911079d 0x6edbcfb8 0.2% 0.1% 0.1% ssh
0x087cb14e 0x6edc00f4 0.1% 0.1% 0.1% ARP Thread
0x091b4cd9 0x6edbba50 0.0% 0.1% 0.0% snmp
0x098da690 0x6edcce74 0.0% 0.1% 0.0% Checkheaps

 

 

----------------------------------------------------------

 

# sh asp drop

Frame drop:
Invalid encapsulation (invalid-encap) 6125
Invalid TCP Length (invalid-tcp-hdr-length) 19
No valid adjacency (no-adjacency) 1
No route to host (no-route) 8432
Flow is denied by configured rule (acl-drop) 566916559
First TCP packet not SYN (tcp-not-syn) 3624
TCP failed 3 way handshake (tcp-3whs-failed) 26012
TCP RST/FIN out of order (tcp-rstfin-ooo) 26153
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 43
TCP SYNACK on established conn (tcp-synack-ooo) 23
TCP packet SEQ past window (tcp-seq-past-win) 1517
TCP Out-of-Order packet buffer full (tcp-buffer-full) 339663
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 47233
TCP RST/SYN in window (tcp-rst-syn-in-win) 42
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 16653
TCP packet failed PAWS test (tcp-paws-fail) 11
Slowpath security checks failed (sp-security-failed) 959
Expired flow (flow-expired) 20
ICMP Inspect bad icmp code (inspect-icmp-bad-code) 136
DNS Inspect id not matched (inspect-dns-id-not-matched) 3280
IPS Module requested drop (ips-request) 23
FP L2 rule drop (l2_acl) 271555
Interface is down (interface-down) 382
Dropped pending packets in a closed socket (np-socket-closed) 106
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 34142
Received a multicast packet in the non-active device (mcast-in-nonactive-device) 167

Last clearing: Never

Flow drop:
Flow terminated by IPS (ips-request) 2
Inspection failure (inspect-fail) 336
SSL handshake failed (ssl-handshake-failed) 1

Last clearing: Never

--------------------------------------

 

# sh int gig0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.170b, MTU 1500
IP address 199.x.x.202, subnet mask 255.255.255.248
598178974 packets input, 118399863686 bytes, 0 no buffer
Received 2185 broadcasts, 0 runts, 0 giants
1474192 input errors, 0 CRC, 0 frame, 1474192 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
591417100 packets output, 82812234733 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (234/168)
Traffic Statistics for "outside":
598178890 packets input, 107605901731 bytes
591417100 packets output, 72125301733 bytes
567431045 packets dropped
1 minute input rate 7972 pkts/sec, 1151620 bytes/sec
1 minute output rate 7983 pkts/sec, 995376 bytes/sec
1 minute drop rate, 7763 pkts/sec
5 minute input rate 8092 pkts/sec, 1263597 bytes/sec
5 minute output rate 8101 pkts/sec, 1003485 bytes/sec
5 minute drop rate, 7801 pkts/sec

 

 

Labels:
Preview file
192 KB
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎06-12-2019 10:57 AM

Hi,
Run "clear asp drop" to reset the counts, wait a couple of minutes and then re-run "show asp drop", upload the output for review.

Also run a capture "capture asp-drop type asp-drop all" and then uplaod the output of "show capture asp-drop"

What logging levels do you have configured? Run "show run logging" or "show logging"
0 Helpful

jdumorne03
Level 1
Level 1
In response to Rob Ingram

‎06-12-2019 11:30 AM - edited ‎06-12-2019 11:32 AM

Hello RJI,

 

Thanks for reaching out I did perform "clear asp drop" here is the output after the clear asp drop: 

 

Frame drop:
Invalid encapsulation (invalid-encap) 4
No route to host (no-route) 2
Flow is denied by configured rule (acl-drop) 189268
First TCP packet not SYN (tcp-not-syn) 3
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 11
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 70
Slowpath security checks failed (sp-security-failed) 1
FP L2 rule drop (l2_acl) 95
Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool) 23

Last clearing: 14:26:28 EDT Jun 12 2019 by enable_15

Flow drop:

Last clearing: 14:26:28 EDT Jun 12 2019 by enable_15

 

 

------------------------------------------------

 

# sh run logging
logging enable
logging standby
logging trap informational
logging history informational
logging asdm informational
logging queue 4096
logging host management 172.x.x.253
logging host outside 172.x.x.50
no logging message 110003

 

 

---------------------------

 

# sh capture asp-drop

0 packet captured

0 packet shown

0 Helpful

Rob Ingram
VIP
VIP
In response to jdumorne03

‎06-12-2019 12:19 PM

You have a lot of drops "Flow is denied by configured rule (acl-drop) 189268" this would be traffic denied in an ACL - possibly an attack. The logger process has high CPU utilisation, which could be explained if you are logging each deny. Potentially rate-limit logging until the attack stops.

199.x.x.202 is your outside interface IP address? What is the destination address?

You've edited the screenshot, does it not display the src/dst ports?

Can you run a packet capture from src to destination and upload the pcap.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card