12-29-2014 06:26 AM - edited 03-11-2019 10:16 PM
Hi all,
I'm encountering CPU-hog issue (packet drops) each time our monitor system monitor the ASA (via SNMP) due to 1 core CPU.
The ASA is monitored via non management interface (all others),which is a production interface, my question is, if we move to the dedicated management port will solve the CPU-hog issue or it's using the same CPU as all other interfaces?
10x
Eyal
12-29-2014 12:17 PM
Hello Eyal-
I am not saying that it is not possible and that it is not the cause of the issue here but I don't think the problem is the interface. Most of the ASAs that I have managed/configured in the past were managed via the "Inside" interface vs a dedicated management port.
My guess is that the issue is with either high throughput running through the ASA or the monitoring software itself. Can you tell us:
1. What is the average throughput running through the ASA
2. What services are you using (IPSec tunnels, remote access VPN, how many DMZs, etc)
3. What type of SNMP solution are you trying to implement and what are its configs (polling intervals)
4. Post your ASA SNMP configs
Thank you for rating helpful posts!
12-29-2014 11:48 PM
Hi Neno,
1. in & out - MAX 203.648 kbit/s
2.IPSEC tunnels - ~ 20 tunnels / DMZ - 5 sub interfaces for DMZ
3.PRTG with SNMP interval 30 sec
4. Please note that many of the hosts are not active (working on eliminate them).
5.attached is 'sh int | i overrun'
1927529 input errors, 0 CRC, 0 frame, 1927529 overrun, 0 ignored, 0 abort
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4389 input errors, 0 CRC, 0 frame, 4389 overrun, 0 ignored, 0 abort
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
12-30-2014 05:46 AM
If you are just going by the input errors and interface overruns I would not think this is a CPU issue. Most likely there is more traffic passing through the interface than it can handle, or perhaps the packets are too large. Do you see the jumbo frame counter tick upward? Do the input errors and overruns steadily tick upward or does it only increase slowly? When was the last time you cleard the interface counters?
It would not hurt to move management traffic to the dedicated management port. This way you can monitor the ports for the overruns and input errors, as well as keep an eye on the CPU Hog output.
if you issue the commands show cpu usage and show processes cpu-hog. When viewing the CPU usage do you see any CPU spikes up to 80%-100% that last more than a few seconds?
--
Please remember to select a correct answer and rate helpful posts
12-30-2014 11:11 PM
by this Cisco link, it looks like that is a CPU-HOG issue specially with 1 Core FWs:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115985-asa-overrun-product-tech-note-00.html
12-30-2014 02:05 AM
Hi,
Seeing CPU-HOGS on the ASA device is not harmful on most of the cases.
How much is the duration of the hogs which you see on the ASA device.
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide