cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


33976
Views
10
Helpful
28
Replies
Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

what is the command?

when I entered the show logging, this result shows:

INTFW(config)# show logging

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: disabled

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2153425037 messages logged

I think this is not the one you are asking.

Cisco Employee

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

I see you have asdm, you can go to monitoring--->Logging and grab the logs from there, or do, logging buffered 6 and then show log.

Mike

Mike
Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

oh yes we are, and I don't even know how to use it yet.

here is the result, I just did it on CLI instead.

INTFW(config)# show log

Syslog logging: enabled

    Facility: 16

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level informational, 189920 messages logged

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2163529896 messages logged

12.84/3306)

<134>:%ASA-session-6-302013: Built outboection 3204397854 for outside:156.99.135.115/445 (156.99.135.115/445) to inside:x.x.211.122/4070 (x.x.211.122/4070)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397855 for outside:48.29.51.119/445 (48.29.51.119/445) to inside:x.x.212.168/4095 (x.x.212.168/4095)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397856 for outside:153.29.17.47/445 (153.29.17.47/445) to inside:x.x.215.62/4600 (x.x.215.62/4600)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397857 for outside:93.96.181.119/445 (93.96.181.119/445) to inside:x.x.216.128/4724 (x.x.216.128/4724)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204397858 for outside:142.117.190.105/445 (142.117.190.105/445) to inside:x.x.211.153/4731 (12.230.211.15session-6-302014: Teardown TCP connection 3204241463 for outside:148.18.251.18/42014: Teardown TCP connection 3204241489 for outside:152.34.30.80/445 to inside:x.x.212.234/3528 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204241490 fort

<134>:%ASA-session-6-302014: Teardown TCP connection 3204242978 for outside:133.97.126.73/445 to inside:x.x.211.137/3009 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Tear12.93/3984)

nection 3204242979 for outside:184.32.145.19/445 to inside:x.x.212 for outside:172.99.172.115/445 (172.99.172.115/445) to inside:x.x.218.192/3260 (x.x.218.192/3260)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204399383 for outside:94.122.223.124/445 (94.122.223.124/445) to inside:x.x.216.127/4647 (x.x.216.127/4647)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204399384 for outside:76.58.162.61/445 (76.58.162.61/445) to inside:x.x.212.93/3985 (x.x.212.93/3985)

<134>:%ASA-see:12.230.212.241/1908 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-62 for outside:63.68.184.29/445 (63.68.184.29/445) to inside:x.x.215.87/1840 outbound UDP connection 3204405586 for outside:168.126.63.1/53 (168.126.63.1/53) to inside:x.x.217.211/4038 (x.x.217.211/4038)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204405611 for outside:136.102.38.80/445 (136.1012.230.211.180/1197)

<134>:%ASA-session-6-302013: Built outbound TCP connection 2848 duration 0:00:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown 0:30 bytes 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 32 0 SYN Timeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204249238 fside:x.x.211.180/1199 (x.x.211.180/1199)

<134>:%ASA-session-6-302013: Builimeout

<134>:%ASA-session-6-302014: Teardown TCP connection 3204249288 for outsi:%ASA-session-6-302014: Teardown TCP connection 3204249314 for outside:42.29.214sion-6-302014: Teardown TCP connection 3204249340 for outside:181.20.123.79/445  to inside:x.x.211.160/1261 (x.x.211.160/1261)

<134>:%ASA-session-6-302013nection 3204405719 for outside:159.113.13.89/445 (159.113.13.89/445) to inside:10.211.20/4022)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204402014: Teardown TCP connection 3204249371 for outside:80.49.124.112/445 to inside TCP connection 3204249397 for outside:45.93.39.15/445 to inside:x.x.215.48/3n 3204249423/445) to inside:x.x.216.91/2482 (x.x.216.91/2482)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408253 for outside:152.54.105.115/445 (152.54.105.115/445) to inside:x.x.211.150/3239 (x.x.211.150/3239)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408254 for outside:64.95.156.117/445 (64.95.156.117/445) to inside:x.x.218.225/4888 (x.x.218.225/4888)

<134>:%ASA-session-6-302013: Built outbound TCP connection 3204408255 for outside:59.51.64.61/445 (59.51.64.61/445) to inside:x.x.211.150/3240 (x.x.211.150/3240)

INTFW(config)# ion-6-302013: Built outbound TCP connection 3204408256 for outside:105.52.141.20/445 (1

Thanks,

Mark

Cisco Employee

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

Mark,

Do you know the following Addresses ?

152.54.105.115

64.95.156.117

59.51.64.61

What I am seeing so far is just a lot of tcp connections that are not that normal. And most of them end up on SYN timeout. Can you tell me if outbound TCP traffic (445) for file sharing (Not FTP, FTP goes over 21) is normal? We can set some policies on the firewall to limit the amount of oubound embryonic connections.

Let me know.

Mike

Mike
Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

I don't know those addresses, they're from outside, the first 2 IPs are from US & the last one came from China I think. can you help me setting up policies?

Thanks,

Mark

Cisco Employee

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

Uhm, Sure why not.

First, if not 445 traffic should be going out, block that traffic outbound. Second, we can go ahead and set the policy for half-open sessions on that specific port.

Here,

Access-list MPF permit tcp any any eq 445

class-map MPF

match access-list MPF

Policy-map global_policy

class MPF

  set connection per-client-embryonic-max 10

If no TCP 445 traffic should be going outbound, do the following

access-list inside deny tcp any any eq 445

access-list inside permit ip any any

access-group inside in interface inside.

Mike

Mike

Mike
Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

I sent the access-list of our ASA on your private message before I execute this. is it safe to do this, will it not affect the production?

Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

It can't be done. I entered the commands, after that the CPU usage drops so fast. I didn't realized that all the distribution and access switches lost their connections. I removed the commands, now our internet connections fluctuates and the CPU usage of this ASA is now 99%. I don't know what to do with this.

Enthusiast

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

check which IP do more traffic

#sh local-host | i host|count|maximum

and after check the IP detailed for example:

#sh local-host 10.10.10.10 all detail connection

Enthusiast

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

do you have an IPS module ?

Class-map: global-class

       IPS: card status Unresponsive, mode inline fail-open, sensor vs0

         packet input 197451550328, packet output 197459152624, drop 3901726, reset-drop 395164

#sh module

Enthusiast

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

check the resource usage with the 

#show resource usage

Cisco Employee

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

So, we know there that it is in fact the traffic hitting the inside interface. Now, I saw something really alarming on one of the access lists that is there and I think that is when the problem of internet connection issue came in. Did you use the commads I gave you or did you use ASDM.

A policy needs to be set while you troubleshoot the inside network to mitigate the impact on the ASA.

Let me know when you have time.

Mike

Mike
Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

Hey Mike,

Sorry for the late reply. We' were so busy because of that CPU usage issue. Well, we found out that it was actually a virus who makes our CPU usage very high. After scanning some PCs on our machine in production, CPU usage suddenly drops to less than 20%. It was wierd but, I'll let you know the details, after we figured out how to totally eliminate the worm actually. Thanks for your help & good luck on your CCIE exam.

Mark

Beginner

Cisco ASA 5520 CPU Usage is ranging 87%- 93%

Roberto,

Thanks for the post & sorry I wasn't able to reply. It seems we are on the right track now, but if ever there's an issue again, I'll let you know as well.

Thanks again,

Mark