02-13-2017 11:08 PM - edited 03-12-2019 01:55 AM
We are facing high CPU utilisation on our ASA 5510 firewall.
we have checked the show process cpu-usage and found that Dispatch Unit process is utilising 74% cpu.
we have checked the service-policy and found icmp and esmtp process receving more packets.
we tried removing them from inspect mode and checked the cpu utilisation but still the cpu utilisation is high.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 7.0(2)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# sh processes cpu-usage sorted | ex 0.0
PC Thread 5Sec 1Min 5Min Process
081bec8f a79afb50 72.1% 71.5% 72.1% Dispatch Unit
08caac75 a79a92f8 20.8% 20.8% 20.5% Logger
08cc18fb a79a98e0 2.3% 2.3% 2.3% Unicorn Admin Handler
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 4617988, drop 22, reset-drop 0
Inspect: ftp, packet 215364, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 62, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 25305614, drop 15, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 12, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 1537902, drop 628, reset-drop 0
Inspect: icmp error, packet 34897, drop 0, reset-drop 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# sh asp drop
Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 5
Invalid UDP Length (invalid-udp-length) 6
No valid adjacency (no-adjacency) 3025
No route to host (no-route) 1239
Reverse-path verify failed (rpf-violated) 74
Flow is denied by configured rule (acl-drop) 37695646
NAT-T keepalive message (natt-keepalive) 2721
First TCP packet not SYN (tcp-not-syn) 2055996
Bad TCP flags (bad-tcp-flags) 4
TCP failed 3 way handshake (tcp-3whs-failed) 269752
TCP RST/FIN out of order (tcp-rstfin-ooo) 367407
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 37391
TCP packet SEQ past window (tcp-seq-past-win) 669
TCP invalid ACK (tcp-invalid-ack) 497
TCP replicated flow pak drop (tcp-fo-drop) 9838
TCP Out-of-Order packet buffer full (tcp-buffer-full) 3689
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 9557
TCP RST/SYN in window (tcp-rst-syn-in-win) 3220
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 2202302
TCP packet failed PAWS test (tcp-paws-fail) 2121
IPSEC tunnel is down (ipsec-tun-down) 12
Slowpath security checks failed (sp-security-failed) 17515
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 672
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 2
DNS Inspect id not matched (inspect-dns-id-not-matched) 23
FP L2 rule drop (l2_acl) 105296
Interface is down (interface-down) 237
Packet shunned (shunned) 203428543
Dropped pending packets in a closed socket (np-socket-closed) 1858
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 624
Inspection failure (inspect-fail) 160306
SSL handshake failed (ssl-handshake-failed) 5
IPSec inner policy mismatch failure (ipsec-selector-failure) 10858
Last clearing: Never
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 294/s 367/s
TCP Conns 246/s 304/s
UDP Conns 29/s 49/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 8/s 10/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 99.00%
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# show interface
Interface Ethernet0/0 "OUTSIDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address e8b7.4878.25c0, MTU 1500
IP address x.x.x.x, subnet mask 255.255.255.0
40834864 packets input, 9411329012 bytes, 0 no buffer
Received 3919 broadcasts, 0 runts, 0 giants
966524 input errors, 0 CRC, 0 frame, 966524 overrun, 0 ignored, 0 abort
0 L2 decode drops
23808997 packets output, 8124509357 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 3 interface resets
0 late collisions, 0 deferred
1 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (251/34)
Traffic Statistics for "OUTSIDE":
40834856 packets input, 8652951215 bytes
23808997 packets output, 7682788874 bytes
16179759 packets dropped
1 minute input rate 10178 pkts/sec, 2172265 bytes/sec
1 minute output rate 5190 pkts/sec, 1569916 bytes/sec
1 minute drop rate, 4486 pkts/sec
5 minute input rate 11077 pkts/sec, 2098646 bytes/sec
5 minute output rate 6267 pkts/sec, 1740486 bytes/sec
5 minute drop rate, 4518 pkts/sec
Interface Ethernet0/1 "INSIDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address e8b7.4878.25c1, MTU 1500
IP address 10.0.70.4, subnet mask 255.255.0.0
26733860 packets input, 8568129669 bytes, 0 no buffer
Received 31238 broadcasts, 0 runts, 0 giants
79278 input errors, 0 CRC, 0 frame, 79278 overrun, 0 ignored, 0 abort
0 L2 decode drops
46461301 packets output, 12512734717 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 3 interface resets
0 late collisions, 0 deferred
22 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (247/45)
Traffic Statistics for "INSIDE":
26733614 packets input, 8073156790 bytes
46461301 packets output, 11653219291 bytes
2216971 packets dropped
1 minute input rate 5389 pkts/sec, 1641950 bytes/sec
1 minute output rate 10858 pkts/sec, 2907833 bytes/sec
1 minute drop rate, 6 pkts/sec
5 minute input rate 6464 pkts/sec, 1817950 bytes/sec
5 minute output rate 11749 pkts/sec, 2850424 bytes/sec
5 minute drop rate, 6 pkts/sec
Interface Ethernet0/2 "MPLS", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: ## MPLS connectivitys ##
MAC address e8b7.4878.25c2, MTU 1500
IP address 192.168.10.1, subnet mask 255.255.255.248
389628 packets input, 145739314 bytes, 0 no buffer
Received 5 broadcasts, 0 runts, 0 giants
77 input errors, 0 CRC, 0 frame, 77 overrun, 0 ignored, 0 abort
0 L2 decode drops
327715 packets output, 262364407 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 3 interface resets
0 late collisions, 0 deferred
1 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/68)
Traffic Statistics for "MPLS":
389624 packets input, 137623642 bytes
327715 packets output, 255889949 bytes
16042 packets dropped
1 minute input rate 101 pkts/sec, 35767 bytes/sec
1 minute output rate 89 pkts/sec, 72241 bytes/sec
1 minute drop rate, 4 pkts/sec
5 minute input rate 108 pkts/sec, 37265 bytes/sec
5 minute output rate 91 pkts/sec, 72921 bytes/sec
5 minute drop rate, 4 pkts/sec
Interface Ethernet0/3 "FAILOVER", is up, line protocol is up
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Description: LAN/STATE Failover Interface
MAC address e8b7.4878.25c3, MTU 1500
IP address 3.3.3.1, subnet mask 255.255.255.0
600923 packets input, 700991656 bytes, 0 no buffer
Received 24 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1253866 packets output, 1469566380 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 4 interface resets
0 late collisions, 0 deferred
2 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/35)
Traffic Statistics for "FAILOVER":
600584 packets input, 678271928 bytes
1253504 packets output, 1446977286 bytes
0 packets dropped
1 minute input rate 1 pkts/sec, 122 bytes/sec
1 minute output rate 249 pkts/sec, 290397 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 7 pkts/sec, 376 bytes/sec
5 minute output rate 155 pkts/sec, 176644 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Management0/0 "management", is administratively down, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address e8b7.4878.25c4, MTU 1500
IP address unassigned
395 packets input, 736 bytes, 0 no buffer
Received 12 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/1) software (12/12)
output queue (curr/max packets): hardware (1/0) software (0/0)
Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASA# show traffic
OUTSIDE:
received (in 5353.520 secs):
40907524 packets 8667748111 bytes
7641 pkts/sec 1619074 bytes/sec
transmitted (in 5353.520 secs):
23848306 packets 7698307338 bytes
4454 pkts/sec 1437187 bytes/sec
1 minute input rate 10178 pkts/sec, 2172265 bytes/sec
1 minute output rate 5190 pkts/sec, 1569916 bytes/sec
1 minute drop rate, 4486 pkts/sec
5 minute input rate 11077 pkts/sec, 2098646 bytes/sec
5 minute output rate 6267 pkts/sec, 1740486 bytes/sec
5 minute drop rate, 4518 pkts/sec
INSIDE:
received (in 5353.540 secs):
26773103 packets 8088565655 bytes
5001 pkts/sec 1510079 bytes/sec
transmitted (in 5353.540 secs):
46537002 packets 11672657601 bytes
8692 pkts/sec 2180362 bytes/sec
1 minute input rate 5389 pkts/sec, 1641950 bytes/sec
1 minute output rate 10858 pkts/sec, 2907833 bytes/sec
1 minute drop rate, 6 pkts/sec
5 minute input rate 6464 pkts/sec, 1817950 bytes/sec
5 minute output rate 11749 pkts/sec, 2850424 bytes/sec
5 minute drop rate, 6 pkts/sec
MPLS:
received (in 5353.570 secs):
389782 packets 137674953 bytes
72 pkts/sec 25716 bytes/sec
transmitted (in 5353.570 secs):
327821 packets 255937987 bytes
61 pkts/sec 47004 bytes/sec
1 minute input rate 101 pkts/sec, 35767 bytes/sec
1 minute output rate 89 pkts/sec, 72241 bytes/sec
1 minute drop rate, 4 pkts/sec
5 minute input rate 108 pkts/sec, 37265 bytes/sec
5 minute output rate 91 pkts/sec, 72921 bytes/sec
5 minute drop rate, 4 pkts/sec
management:
received (in 5353.620 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 5353.620 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
FAILOVER:
received (in 5350.280 secs):
600594 packets 678272644 bytes
112 pkts/sec 126773 bytes/sec
transmitted (in 5350.280 secs):
1254675 packets 1448320336 bytes
234 pkts/sec 270699 bytes/sec
1 minute input rate 1 pkts/sec, 122 bytes/sec
1 minute output rate 249 pkts/sec, 290397 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 7 pkts/sec, 376 bytes/sec
5 minute output rate 155 pkts/sec, 176644 bytes/sec
5 minute drop rate, 0 pkts/sec
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0/0:
received (in 5388.980 secs):
40910276 packets 9428308016 bytes
7591 pkts/sec 1749553 bytes/sec
transmitted (in 5388.980 secs):
23849898 packets 8141383925 bytes
4425 pkts/sec 1510746 bytes/sec
1 minute input rate 10182 pkts/sec, 2361681 bytes/sec
1 minute output rate 5192 pkts/sec, 1666652 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 11077 pkts/sec, 2305469 bytes/sec
5 minute output rate 6267 pkts/sec, 1856752 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 5389.020 secs):
26774932 packets 8584886653 bytes
4171 pkts/sec 1593032 bytes/sec
transmitted (in 5389.020 secs):
46539906 packets 12534551440 bytes
8636 pkts/sec 2325145 bytes/sec
1 minute input rate 5391 pkts/sec, 1742676 bytes/sec
1 minute output rate 10862 pkts/sec, 3109700 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 6464 pkts/sec, 1938220 bytes/sec
5 minute output rate 11750 pkts/sec, 3069699 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 5389.060 secs):
389788 packets 145794041 bytes
72 pkts/sec 27053 bytes/sec
transmitted (in 5389.060 secs):
327822 packets 262414864 bytes
60 pkts/sec 48693 bytes/sec
1 minute input rate 101 pkts/sec, 37761 bytes/sec
1 minute output rate 89 pkts/sec, 74325 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 108 pkts/sec, 39538 bytes/sec
5 minute output rate 91 pkts/sec, 74715 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 5389.110 secs):
600933 packets 700992552 bytes
111 pkts/sec 130075 bytes/sec
transmitted (in 5389.110 secs):
1255065 packets 1470962712 bytes
232 pkts/sec 272153 bytes/sec
1 minute input rate 1 pkts/sec, 151 bytes/sec
1 minute output rate 249 pkts/sec, 294899 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 7 pkts/sec, 583 bytes/sec
5 minute output rate 155 pkts/sec, 179345 bytes/sec
5 minute drop rate, 0 pkts/sec
Management0/0:
received (in 5389.150 secs):
395 packets 736 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 5389.150 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
02-14-2017 01:37 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
8.(3)1 is not a recommended. It was a major OS redesign and more like a 9.0.0 in actuality.
It has a ton of bugs and known vulnerabilities.
Upgrade to 9.1(6)10 - the latest release for the older hardware - and start looking at it from that basis.