cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
1
Replies

ASA 5510 CPU utlisation HIGH

sgr.bhagat
Level 1
Level 1

We are facing high CPU utilisation on our ASA 5510 firewall.

we have checked the show process cpu-usage and found that Dispatch Unit process is utilising 74% cpu.

we have checked the service-policy and found icmp and esmtp process receving more packets.

we tried removing them from inspect mode and checked the cpu utilisation but still the cpu utilisation is high.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ASA# sh ver
 Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 7.0(2)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ASA# sh processes cpu-usage sorted | ex 0.0
PC         Thread       5Sec     1Min     5Min   Process
081bec8f   a79afb50    72.1%    71.5%    72.1%   Dispatch Unit
08caac75   a79a92f8    20.8%    20.8%    20.5%   Logger
08cc18fb   a79a98e0     2.3%     2.3%     2.3%   Unicorn Admin Handler

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ASA# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 4617988, drop 22, reset-drop 0
      Inspect: ftp, packet 215364, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: netbios, packet 62, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 25305614, drop 15, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: sunrpc, packet 12, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: icmp, packet 1537902, drop 628, reset-drop 0
      Inspect: icmp error, packet 34897, drop 0, reset-drop 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++     

ASA# sh asp drop

Frame drop:
  Invalid TCP Length (invalid-tcp-hdr-length)                                  5
  Invalid UDP Length (invalid-udp-length)                                      6
  No valid adjacency (no-adjacency)                                         3025
  No route to host (no-route)                                               1239
  Reverse-path verify failed (rpf-violated)                                   74
  Flow is denied by configured rule (acl-drop)                          37695646
  NAT-T keepalive message (natt-keepalive)                                  2721
  First TCP packet not SYN (tcp-not-syn)                                 2055996
  Bad TCP flags (bad-tcp-flags)                                                4
  TCP failed 3 way handshake (tcp-3whs-failed)                            269752
  TCP RST/FIN out of order (tcp-rstfin-ooo)                               367407
  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                         37391
  TCP packet SEQ past window (tcp-seq-past-win)                              669
  TCP invalid ACK (tcp-invalid-ack)                                          497
  TCP replicated flow pak drop (tcp-fo-drop)                                9838
  TCP Out-of-Order packet buffer full (tcp-buffer-full)                     3689
  TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout)               9557
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                3220
  TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue)             2202302
  TCP packet failed PAWS test (tcp-paws-fail)                               2121
  IPSEC tunnel is down (ipsec-tun-down)                                       12
  Slowpath security checks failed (sp-security-failed)                     17515
  ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)        672
  ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                     2
  DNS Inspect id not matched (inspect-dns-id-not-matched)                     23
  FP L2 rule drop (l2_acl)                                                105296
  Interface is down (interface-down)                                         237
  Packet shunned (shunned)                                             203428543
  Dropped pending packets in a closed socket (np-socket-closed)             1858

Last clearing: Never

Flow drop:
  Need to start IKE negotiation (need-ike)                                   624
  Inspection failure (inspect-fail)                                       160306
  SSL handshake failed (ssl-handshake-failed)                                  5
  IPSec inner policy mismatch failure (ipsec-selector-failure)             10858

Last clearing: Never

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ASA# show perfmon
 
PERFMON STATS:                     Current      Average
Xlates                                0/s          0/s
Connections                         294/s        367/s
TCP Conns                           246/s        304/s
UDP Conns                            29/s         49/s
URL Access                            0/s          0/s
URL Server Req                        0/s          0/s
TCP Fixup                             0/s          0/s
TCP Intercept Established Conns       0/s          0/s
TCP Intercept Attempts                0/s          0/s
TCP Embryonic Conns Timeout           8/s         10/s
HTTP Fixup                            0/s          0/s
FTP Fixup                             0/s          0/s
AAA Authen                            0/s          0/s
AAA Author                            0/s          0/s
AAA Account                           0/s          0/s
 
VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                       N/A         99.00%

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ASA# show interface
Interface Ethernet0/0 "OUTSIDE", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address e8b7.4878.25c0, MTU 1500
        IP address x.x.x.x, subnet mask 255.255.255.0
        40834864 packets input, 9411329012 bytes, 0 no buffer
        Received 3919 broadcasts, 0 runts, 0 giants
        966524 input errors, 0 CRC, 0 frame, 966524 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        23808997 packets output, 8124509357 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 3 interface resets
        0 late collisions, 0 deferred
        1 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (251/34)
  Traffic Statistics for "OUTSIDE":
        40834856 packets input, 8652951215 bytes
        23808997 packets output, 7682788874 bytes
        16179759 packets dropped
      1 minute input rate 10178 pkts/sec,  2172265 bytes/sec
      1 minute output rate 5190 pkts/sec,  1569916 bytes/sec
      1 minute drop rate, 4486 pkts/sec
      5 minute input rate 11077 pkts/sec,  2098646 bytes/sec
      5 minute output rate 6267 pkts/sec,  1740486 bytes/sec
      5 minute drop rate, 4518 pkts/sec
Interface Ethernet0/1 "INSIDE", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address e8b7.4878.25c1, MTU 1500
        IP address 10.0.70.4, subnet mask 255.255.0.0
        26733860 packets input, 8568129669 bytes, 0 no buffer
        Received 31238 broadcasts, 0 runts, 0 giants
        79278 input errors, 0 CRC, 0 frame, 79278 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        46461301 packets output, 12512734717 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 3 interface resets
        0 late collisions, 0 deferred
        22 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (247/45)
  Traffic Statistics for "INSIDE":
        26733614 packets input, 8073156790 bytes
        46461301 packets output, 11653219291 bytes
        2216971 packets dropped
      1 minute input rate 5389 pkts/sec,  1641950 bytes/sec
      1 minute output rate 10858 pkts/sec,  2907833 bytes/sec
      1 minute drop rate, 6 pkts/sec
      5 minute input rate 6464 pkts/sec,  1817950 bytes/sec
      5 minute output rate 11749 pkts/sec,  2850424 bytes/sec
      5 minute drop rate, 6 pkts/sec
Interface Ethernet0/2 "MPLS", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Description: ## MPLS connectivitys ##
        MAC address e8b7.4878.25c2, MTU 1500
        IP address 192.168.10.1, subnet mask 255.255.255.248
        389628 packets input, 145739314 bytes, 0 no buffer
        Received 5 broadcasts, 0 runts, 0 giants
        77 input errors, 0 CRC, 0 frame, 77 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        327715 packets output, 262364407 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 3 interface resets
        0 late collisions, 0 deferred
        1 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (255/68)
  Traffic Statistics for "MPLS":
        389624 packets input, 137623642 bytes
        327715 packets output, 255889949 bytes
        16042 packets dropped
      1 minute input rate 101 pkts/sec,  35767 bytes/sec
      1 minute output rate 89 pkts/sec,  72241 bytes/sec
      1 minute drop rate, 4 pkts/sec
      5 minute input rate 108 pkts/sec,  37265 bytes/sec
      5 minute output rate 91 pkts/sec,  72921 bytes/sec
      5 minute drop rate, 4 pkts/sec
Interface Ethernet0/3 "FAILOVER", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Description: LAN/STATE Failover Interface
        MAC address e8b7.4878.25c3, MTU 1500
        IP address 3.3.3.1, subnet mask 255.255.255.0
        600923 packets input, 700991656 bytes, 0 no buffer
        Received 24 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1253866 packets output, 1469566380 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 4 interface resets
        0 late collisions, 0 deferred
        2 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/230)
        output queue (blocks free curr/low): hardware (255/35)
  Traffic Statistics for "FAILOVER":
        600584 packets input, 678271928 bytes
        1253504 packets output, 1446977286 bytes
        0 packets dropped
      1 minute input rate 1 pkts/sec,  122 bytes/sec
      1 minute output rate 249 pkts/sec,  290397 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec,  376 bytes/sec
      5 minute output rate 155 pkts/sec,  176644 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Management0/0 "management", is administratively down, line protocol is up
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        MAC address e8b7.4878.25c4, MTU 1500
        IP address unassigned
        395 packets input, 736 bytes, 0 no buffer
        Received 12 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 input reset drops, 0 output reset drops
        input queue (curr/max packets): hardware (0/1) software (12/12)
        output queue (curr/max packets): hardware (1/0) software (0/0)
  Traffic Statistics for "management":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


ASA# show traffic
OUTSIDE:
        received (in 5353.520 secs):
                40907524 packets        8667748111 bytes
                7641 pkts/sec   1619074 bytes/sec
        transmitted (in 5353.520 secs):
                23848306 packets        7698307338 bytes
                4454 pkts/sec   1437187 bytes/sec
      1 minute input rate 10178 pkts/sec,  2172265 bytes/sec
      1 minute output rate 5190 pkts/sec,  1569916 bytes/sec
      1 minute drop rate, 4486 pkts/sec
      5 minute input rate 11077 pkts/sec,  2098646 bytes/sec
      5 minute output rate 6267 pkts/sec,  1740486 bytes/sec
      5 minute drop rate, 4518 pkts/sec
INSIDE:
        received (in 5353.540 secs):
                26773103 packets        8088565655 bytes
                5001 pkts/sec   1510079 bytes/sec
        transmitted (in 5353.540 secs):
                46537002 packets        11672657601 bytes
                8692 pkts/sec   2180362 bytes/sec
      1 minute input rate 5389 pkts/sec,  1641950 bytes/sec
      1 minute output rate 10858 pkts/sec,  2907833 bytes/sec
      1 minute drop rate, 6 pkts/sec
      5 minute input rate 6464 pkts/sec,  1817950 bytes/sec
      5 minute output rate 11749 pkts/sec,  2850424 bytes/sec
      5 minute drop rate, 6 pkts/sec
MPLS:
        received (in 5353.570 secs):
                389782 packets  137674953 bytes
                72 pkts/sec     25716 bytes/sec
        transmitted (in 5353.570 secs):
                327821 packets  255937987 bytes
                61 pkts/sec     47004 bytes/sec
      1 minute input rate 101 pkts/sec,  35767 bytes/sec
      1 minute output rate 89 pkts/sec,  72241 bytes/sec
      1 minute drop rate, 4 pkts/sec
      5 minute input rate 108 pkts/sec,  37265 bytes/sec
      5 minute output rate 91 pkts/sec,  72921 bytes/sec
      5 minute drop rate, 4 pkts/sec
management:
        received (in 5353.620 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 5353.620 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
FAILOVER:
        received (in 5350.280 secs):
                600594 packets  678272644 bytes
                112 pkts/sec    126773 bytes/sec
        transmitted (in 5350.280 secs):
                1254675 packets 1448320336 bytes
                234 pkts/sec    270699 bytes/sec
      1 minute input rate 1 pkts/sec,  122 bytes/sec
      1 minute output rate 249 pkts/sec,  290397 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec,  376 bytes/sec
      5 minute output rate 155 pkts/sec,  176644 bytes/sec
      5 minute drop rate, 0 pkts/sec
 
----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0/0:
        received (in 5388.980 secs):
                40910276 packets        9428308016 bytes
                7591 pkts/sec   1749553 bytes/sec
        transmitted (in 5388.980 secs):
                23849898 packets        8141383925 bytes
                4425 pkts/sec   1510746 bytes/sec
      1 minute input rate 10182 pkts/sec,  2361681 bytes/sec
      1 minute output rate 5192 pkts/sec,  1666652 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 11077 pkts/sec,  2305469 bytes/sec
      5 minute output rate 6267 pkts/sec,  1856752 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/1:
        received (in 5389.020 secs):
                26774932 packets        8584886653 bytes
                4171 pkts/sec   1593032 bytes/sec
        transmitted (in 5389.020 secs):
                46539906 packets        12534551440 bytes
                8636 pkts/sec   2325145 bytes/sec
      1 minute input rate 5391 pkts/sec,  1742676 bytes/sec
      1 minute output rate 10862 pkts/sec,  3109700 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 6464 pkts/sec,  1938220 bytes/sec
      5 minute output rate 11750 pkts/sec,  3069699 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/2:
        received (in 5389.060 secs):
                389788 packets  145794041 bytes
                72 pkts/sec     27053 bytes/sec
        transmitted (in 5389.060 secs):
                327822 packets  262414864 bytes
                60 pkts/sec     48693 bytes/sec
      1 minute input rate 101 pkts/sec,  37761 bytes/sec
      1 minute output rate 89 pkts/sec,  74325 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 108 pkts/sec,  39538 bytes/sec
      5 minute output rate 91 pkts/sec,  74715 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/3:
        received (in 5389.110 secs):
                600933 packets  700992552 bytes
                111 pkts/sec    130075 bytes/sec
        transmitted (in 5389.110 secs):
                1255065 packets 1470962712 bytes
                232 pkts/sec    272153 bytes/sec
      1 minute input rate 1 pkts/sec,  151 bytes/sec
      1 minute output rate 249 pkts/sec,  294899 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec,  583 bytes/sec
      5 minute output rate 155 pkts/sec,  179345 bytes/sec
      5 minute drop rate, 0 pkts/sec

      Management0/0:
        received (in 5389.150 secs):
                395 packets     736 bytes
                0 pkts/sec      0 bytes/sec
        transmitted (in 5389.150 secs):
                0 packets       0 bytes
                0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1 Reply 1

Farhan Mohamed
Cisco Employee
Cisco Employee

8.(3)1 is not a recommended. It was a major OS redesign and more like a 9.0.0 in actuality.

It has a ton of bugs and known vulnerabilities.

Upgrade to 9.1(6)10 - the latest release for the older hardware - and start looking at it from that basis.

Review Cisco Networking for a $25 gift card