We have seen ( though very intermittently , once in 3-4 months) that interface utilization on the switches in DMZ touches almost 100%. Here is our rough topology:

Netflow collector----firewall---DMZ---edge router

(10.1.1.1)               fw1                 (192.168.1.1)

We are exporting flows on our edge router and the export destination configured is Netfllow collector. What we have seen is when utilization becomes high, then removing/re-adding netflow commands on edge router fixes the problem, but only recently we have found that actually it is a loop in our dmz at that time. edge router sends exports towards netflow collector and firewall sends exports back to edge router. For example, when the problem was happening:

fw1# sh conn | i 10.1.1.1

UDP outside 10.1.1.1:2055 outside 192.168.1.1:59799, idle 0:00:00, bytes 1131313848, flags -

It is odd because 10.1.1.1 (netflow collector) should be reachable via  inside interface and not via outside. I did traceroute from firewall to 10.1.1.1 and I could see that the path is through internal network only. But in the above output, why the firewall was showing 10.1.1.1 on outside interface is a mystery to us.

So I cleared connection on firewall

fw1/hyd.shaw.net# clear conn address 10.1.1.1

1 connection(s) deleted.

And now fw1 showed expected output and DMZ segment interface utilization also became normal.

fw1# sh conn | i 10.1.1.1

UDP outside 192.168.1.1:59799 inside 10.1.1.1:2055, idle 0:00:00, bytes 1119424, flags -

Why is firewall doing this? We were running 8.2(2)16 before and have recently upgraded firewall to 8.4(4.1). This issue has been there in old as well as new firewall versions.

Thanks,

Kashish