cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
332
Views
0
Helpful
3
Replies
Beginner

High CPU Usage 2 Firepower (2110 and 2140)

Hi,

I have a really strange problem with a cisco Firepower 2110 and a Firepower 2140:

FP 2110 is just configured as classic ASA-VPN-Appliance

FP 2140 is just configured as classic ASA-Firewall-System (with about 15 Subnets, 1200 endpoints)

 

Die FP 2140 as Firewall works well with a load between 2- 5 %

When I connect the FP 2110 via Layer3 Interface with a small subnet (netmask 255.255.255.240) the CPU load grows up on both machines, even the ASA-VPN-Appliance isn't still produktivie!

When I connect the VPN-Appliance (2110) to my 6500 Core-Router (same netmask) everything is fine with the cpu-load.

Really magic, till now I didn't found anything at cisco or got a answer from cisco.

Is there anyone with the same problem?

 

regards

Elmar

Everyone's tags (1)
3 REPLIES 3
Cisco Employee

Re: High CPU Usage 2 Firepower (2110 and 2140)

It is hard to say what could be causing your issue from the information that you provided here. It could be a routing loop, software defect, etc. Have you opened a support case with TAC?

Thank you for rating helpful posts!

Beginner

Re: High CPU Usage 2 Firepower (2110 and 2140)

Hi,

I was off work for a week.

I think it is not a routing loop, because it is really simple.

I also contacted the TAC, but they haven't delivered a solution for that problem (with the necessary information - show tech-support etc..)

 

Regards

Elmar

 

Highlighted
Beginner

Re: High CPU Usage 2 Firepower (2110 and 2140)

We had a 99% and spontaneous reboots issue, solved by TAC today. We removed the command to permit traffic flow between same security level interfaces:

   no same-security-traffic permit intra-interface

 

Our management1/1 and inside interfaces were both security level 100 and unnecessary traffic was flowing between them.

 

Additionally, we had found the day before that our queues were filling up with NETBIOS traffic, so we removed that inspection from the default policy-map.

 

Andy

 

CreatePlease to create content
Content for Community-Ad